What I don't like about JSON Web Tokens (opens in new tab)

If there are libraries that silently accept an unsigned JWT with alg:none, even when they are provided a secret key to verify, that's a serious CVE right there...

If a secret or public key is passed to the verify function, the function MUST fail if no signature is actually present in the token. E.g. on node-jwt; [1]

  if (parts[2].trim() === '' && secretOrPublicKey){
    return done(new JsonWebTokenError('jwt signature is required'));
  }

As another example, in the C# library, as long as 'RequireSignedTokens' is true, it will ensure the signature can't be stripped. [2] I'd say that's poor design to allow specifying a key and then ignoring it silently if 'RequireSignedTokens' is false, even if it is true by default, because the combination of 'RequireSignedTokens' = false, and a non-null key, is invalid.

[1] - https://github.com/auth0/node-jsonwebtoken/blob/master/index...

[2] - https://github.com/AzureAD/azure-activedirectory-identitymod...