Allow parsing signed JWTs without the key
AnnKont opened this issue · 1 comments
AnnKont commented
bdemers commented
Parsing a signed JWT (a JWS) without the key should always be considered unsafe.
Exactly how unsafe it is up to your particular environment (and how much risk is acceptable).
To see how it would work in action you can take a look at https://token.dev.
Start with the default example, and then change the algorithm dropdown to a different value, and then to none.
You will notice that the header and signature sections of the compact JWT string changes, but the middle section will stay the same. You can copy/paste the middle section into https://www.base64decode.org/, and you will see the JSON payload.
TL;DR removing the signature validation, removes all of the security associated with a JWT