Some libraries don't make it easy (or possible) to check that the algorithm used by the JWT sent by the client is in fact the algorithm you're using and want the client to come back with, see i.e. https://auth0.com/blog/critical-vulnerabilities-in-json-web-...