Not possible to verify unsigned token (signed with alg none)

[jonekdahl]

Is it possible to verify (as in jwt.verify()) a token that was signed with algorithm none?

var payload =  {
    iss: 'https://example.com'
    aud: 'test.client.id'
};
var signedToken = jwt.sign(payload, null, { algorithm: 'none' });

// First try with empty key, causes 'secret or public key must be provided'
jwt.verify(signedToken, null, { audience: 'test.client.id', issuer: 'https://example.com' }, ...);

// Second try with a dummy key, causes 'jwt signature is required'
jwt.verify(signedToken, '<dummy key>', { audience: 'test.client.id', issuer: 'https://example.com' }, ...);

I expected the first version to do what I want, which is to realize that the token does not have a signature and therefore doesn't require a signature validation and hence not a key either.

[jfromaniello]

The verify method options support algorithms which is an array of supported algs

[jonekdahl]

Thanks for the suggestion. Unfortunately, using options.algorithms didn't help:

// Third attempt, also causes 'secret or public key must be provided'
jwt.verify(signedToken, null, { algorithms: ['none'] }, ...);

[jonekdahl]

I had a look at the jwt.verify() implementation and it does not seem to handle unsigned JWTs correctly. This is the snippet of code where the problem occurs:

  if (parts[2].trim() === '' && secretOrPublicKey){
    return done(new JsonWebTokenError('jwt signature is required'));
  }

  if (!secretOrPublicKey) {
    return done(new JsonWebTokenError('secret or public key must be provided'));
  }

If the token does not have a signature, the method will always return with an error. One way to fix this would be to add an additional condition to the second if statement:

  if (parts[2].trim() !== '' && !secretOrPublicKey) {
    return done(new JsonWebTokenError('secret or public key must be provided'));
  }

This change allows jwt.verify() to successfully verify an unsigned token, assuming you pass { algorithms: ['none'] }. It does not break any of the existing test cases, but I am not sure it is correct.

[jfromaniello]

Yes! Sounds like a good plan
El El jue, mar 17, 2016 a las 6:16 PM, Jon Ekdahl [email protected]
escribió:

I had a look at the jwt.verify() implementation and it does not seem to
handle unsigned JWTs correctly. This is the snippet of code where the
problem occurs:

if (parts[2].trim() === '' && secretOrPublicKey){
return done(new JsonWebTokenError('jwt signature is required'));
}

if (!secretOrPublicKey) {
return done(new JsonWebTokenError('secret or public key must be provided'));
}

If the token does not have a signature, the method will always return with
an error. One way to fix this would be to add an additional condition to
the second if statement:

if (parts[2].trim() !== '' && !secretOrPublicKey) {
return done(new JsonWebTokenError('secret or public key must be provided'));
}

This change allows jwt.verify() to successfully verify an unsigned token,
assuming you pass { algorithms: ['none'] }. It does not break any of the
existing test cases, but I am not sure it is correct.

—
You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#185 (comment)

[jonekdahl]

OK, great. I updated the title to reflect that this is more of a defect than a question.