undefined | Better HN

0 pointsabritinthebay8y ago0 comments

That’s only true of JWT if you allow your server to accept all algorithms.

You don’t actually have to.

0 comments

Correct, your token authority should specify which algorithms are valid, and your clients should self configure via a secure back channel to only accept the algorithms your token authority issues.

abritinthebayOP8y ago

Exactly! JWT is a much misunderstood system it seems. Though it doesn’t exactly help itself by being quite complex

j / k navigate · click thread line to collapse

0 pointsabritinthebay8y ago0 comments

That’s only true of JWT if you allow your server to accept all algorithms.

You don’t actually have to.

0 comments

rblatz8y ago

Correct, your token authority should specify which algorithms are valid, and your clients should self configure via a secure back channel to only accept the algorithms your token authority issues.

abritinthebayOP8y ago

Exactly! JWT is a much misunderstood system it seems. Though it doesn’t exactly help itself by being quite complex

j / k navigate · click thread line to collapse