Summary
RFC 7519 section 6.1 specifies Unsecured JWTs with algorithm none:
https://www.rfc-editor.org/rfc/rfc7519#section-6
Steps to reproduce
Try encoding using algorithm none:
> jwt encode --alg=none '{"role": "my-role"}'
error: The following required arguments were not provided:
--secret <SECRET>
USAGE:
jwt encode --secret <SECRET> --alg <ALGORITHM> <JSON>
For more information try --helpAnd decoding using the JWT from the section 6.1 of the spec.
> jwt decode 'eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.'
The JWT provided is invalid because Error(Json(Error("unknown variant `none`, expected one of `HS256`, `HS384`, `HS512`, `ES256`, `ES384`, `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `PS512`", line: 1, column: 13)))Expected behavior
The command jwt encode --alg=none should create a valid unsecured JWT and jwt decode should be able to parse unsecured JWTs.
Instead of jwt encode --alg=none the CLI could also expose this functionality via jwt encode --unsecured to make the security implications more obvious.
Additionally, jwt decode could also require an --unsecured argument and throw a validation error if not provided when decoding an unsecured JWT.
Summary
RFC 7519 section 6.1 specifies Unsecured JWTs with algorithm
none:https://www.rfc-editor.org/rfc/rfc7519#section-6
Steps to reproduce
Try encoding using algorithm
none:And decoding using the JWT from the section 6.1 of the spec.
Expected behavior
The command
jwt encode --alg=noneshould create a valid unsecured JWT andjwt decodeshould be able to parse unsecured JWTs.Instead of
jwt encode --alg=nonethe CLI could also expose this functionality viajwt encode --unsecuredto make the security implications more obvious.Additionally,
jwt decodecould also require an--unsecuredargument and throw a validation error if not provided when decoding an unsecured JWT.