Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a better API for decoding a token without signature validation #401

Open
tyilo opened this issue Aug 26, 2024 · 5 comments
Open

Provide a better API for decoding a token without signature validation #401

tyilo opened this issue Aug 26, 2024 · 5 comments

Comments

@tyilo
Copy link

tyilo commented Aug 26, 2024

Currently you have to use:

// Algorithm can be arbitrarily chosen
let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();

// Key can be arbitrarily chosen
let key = DecodingKey::from_secret(&[]);
let payload = jsonwebtoken::decode::<Claims>(token, &key, &validation).unwrap();

I think the following API would be better:

let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::<Claims>(token, &validation).unwrap();

You avoid having to choose a random algorithm and decoding key that isn't ever used.
@Keats
Copy link
Owner

Keats commented Aug 26, 2024

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

@tyilo
Copy link
Author

tyilo commented Aug 26, 2024

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

It is useful as a client using the token to be able to see what claims are inside the token. exp can be really useful.

@Keats
Copy link
Owner

Keats commented Aug 27, 2024

Well you can't really trust any of the things you see in the claims unless you validate the signature

@tyilo
Copy link
Author

tyilo commented Aug 27, 2024

Well you can't really trust any of the things you see in the claims unless you validate the signature

Sure, but I'm the client. I don't have access to the server's secret key.

@pooriatgh
Copy link

Today, I encountered the same issue. It would be nice if we could make this easier. Here is the scenario:

  1. I need to decode the token, look into the claims without validation, and extract the issuer's name.
  2. Use the issuer's name to find the correct public key file from a list of public keys I have.
  3. Use the key to perform the verification/validation.

I tried the solution provided by @tyilo , but I failed to decode without the audience validation step. I used this option to disable it:

let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();
validation.validate_aud = false;

For example in typescript this package provide more or less what I need: node-jsonwebtoken

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tyilo @Keats @pooriatgh