Hi, Tim McLean describes an attack vector on JWT-protected services in his blog post: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
The culprit is relying on the algorithm in the JWT header. The workaround/recommendation is to ignore the algorithm from the header and use a predefined one. The current RFC 7519 does not address this vulnerability. Will this problem be addressed in the standard? Best regards, Maciej KwidziĆski _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
