Validate token algorithm in Parse/Verify functions.

[itsjamie]

Vulnerability that allows a user to generate a valid token is possible due to some behaviour between certain algorithms, if all are accepted it would allow a user to generate valid tokens with only the public key for RSA. You might not keep the same stringent set of security around your public key.

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

[raulgzm]

Hi Jamie,

We are working on it right now! We hope publish a workaround ASAP.

Thank you!

[itsjamie]

For the easy method, you just need to pick a single algorithm that you will use for your tokens, and then validate that inside the token.Verify method where you must return the key to use.

I believe jwt-go has an example on their repo.

[raulgzm]

Thanks Jamie,

We have just commited a workaround to fix the vulnerability in JWT. We'll publish a new article in our blog to share and show our temporary workaround. We hope there will be a library update soon to remedy this.

Thanks a lot Jamie.