JWT RSA -> Chicken and egg problem

Question

JWT RSA -> Chicken and egg problem

Closed this issue 6 years ago · 4 comments

To correctly decode & verify a JWT, one needs access to the header, so that the correct jwk can be looked up using the value of the "kid" claim.
However to access the headers, one needs to correctly decode the jwt, using the correct key.

Actually the Decode process and the verification process should be separate, we should be able to access the decoded info without actually verifying the signature. Or at least the header.

Answer 1 · 2018-07-20T17:52:30.000Z

at least this is the case for auth0 tokens.

Answer 2 · 2018-07-21T01:10:23.000Z

There is a method to extract out the header: unverified_header.

You might want to make sure the key you get from extracting the header is in some sort of whitelist.

Answer 3 · 2018-07-22T13:55:56.000Z

Yeah thanks. Auth0 makes use of the .well_known/jwks.json, so it will be fetched from there :)

Answer 4 · 2018-07-23T01:34:04.000Z

I'm closing this now because I think your issue is resolved. Please reopen this if you think otherwise.