Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
abritinthebay
8y ago
0 comments
Save
Share
That’s only true of JWT if you allow your server to
accept
all algorithms.
You don’t actually have to.
0 comments
2 comments · 1 top-level
top
newest
oldest
rblatz
8y ago
· 1 in thread
Correct, your token authority should specify which algorithms are valid, and your clients should self configure via a secure back channel to only accept the algorithms your token authority issues.
abritinthebay
OP
8y ago
Exactly! JWT is a much misunderstood system it seems. Though it doesn’t exactly help itself by being quite complex
j
/
k
navigate · click thread line to collapse
