The library does not check the situation if signature algorithm is defined but no signature is provided

Question

The library does not check the situation if signature algorithm is defined but no signature is provided

dmak opened this issue 7 years ago · 2 comments

Please doublecheck this is a valid issue. According to JWS §4.1.1 "alg" Header Parameter MUST be present and MUST be understood and processed by implementations.

In my opinion that means that if "alg" is not "none", then signature must be present and verified. Attached
JwtTest.java.txt demonstrates the problem.

Answer 1 · 2018-01-30T16:56:11.000Z

Hi @dmak ,

You are correct, this is not the intended behavior, I thought I had a test that covered this scenario. I added your test and resolved the issue.

Thanks for pointing this out.

Answer 2 · 2018-01-30T18:03:25.000Z

Resolved in version 1.3.0