-
|
Hello nice folks, and thank you very much for your work. I am dealing with a third-party (so I can't change their implementation) that sends us a jwt, which we need to verify the signature of. This third party is serving their public key using a URL, and the include this URL inside the headers of the token, example headers: {
"typ": "JWT",
"x5u": "https://dummysite.com/jwt-auth-public-key.pem"
}I could of course store their URL or the public key itself in my application, but I am a bit skeptical they might change it in the feature, so ideally I would to fetch the key every time (despite the extra latency). So I would like to 1) parse the jwt token 2) access the headers to get the URL 3) fetch the key 4) verify the signature of the jwt token. so What is the problem? raw_token_str = "eyJhbGciOiJIUzI1......"
token = jwt.JWT(jwt=token_str)
print(token.headers) # raises exceptionOnly if I provide the key along with the raw token, are the jwt headers available. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
That is intentional, a token can't be used until it is properly verified. Additionally you would completely defeat the purpose of verifying the signed JWT, if you download a key that is being communicated to you with the JWT, opening a huge security hole in your processes. At the very least you would have to create an allow-list of allowed public keys, which means still knowing all keys, so you may as well store the actual pubic key. In any case, should you still wish to create a completely insecure system along the way you describe (maybe you are just testing stuff and not actually relying on these JWTs as an authentication or authorization mechanism of any sort), you should be able to use JWS directly like this: you can also still use JWT, if you prefer, like this: But again you cannot trust the JWT to carry the key you use to verify it, it is a no-op in terms of validation as anyone can create a token that verifies that way. |
Beta Was this translation helpful? Give feedback.
That is intentional, a token can't be used until it is properly verified.
Additionally you would completely defeat the purpose of verifying the signed JWT, if you download a key that is being communicated to you with the JWT, opening a huge security hole in your processes.
Any attacker would be able to publish the public key part of a pair they control, and then start minting JWTs that your tool would verify as valid.
At the very least you would have to create an allow-list of allowed public keys, which means still knowing all keys, so you may as well store the actual pubic key.
In any case, should you still wish to create a completely insecure system along the way you describe (maybe you…