jwtk/jjwt

Allow parsing signed JWTs without the key

AnnKont opened this issue · 1 comments

I have the same problem as written here. I have jwt and I need parse it, but I don't have any keys. I don't want to do like in last comment because it is unsafe(and it is not work). Please, suggest some another solution for last version of library.

Parsing a signed JWT (a JWS) without the key should always be considered unsafe.
Exactly how unsafe it is up to your particular environment (and how much risk is acceptable).

To see how it would work in action you can take a look at https://token.dev.
Start with the default example, and then change the algorithm dropdown to a different value, and then to none.
You will notice that the header and signature sections of the compact JWT string changes, but the middle section will stay the same. You can copy/paste the middle section into https://www.base64decode.org/, and you will see the JSON payload.

TL;DR removing the signature validation, removes all of the security associated with a JWT