RFC 7519, "JSON Web Token (JWT)", May 2015Source of RFC: oauth (sec)
Errata ID: 5906
Publication Format(s) : TEXT
Reported By: Erdem Memisyazici
Date Reported: 2019-11-13
Section 7.2 says:
Finally, note that it is an application decision which algorithms may be used in a given context. Even if a JWT can be successfully validated, unless the algorithms used in the JWT are acceptable to the application, it SHOULD reject the JWT.
It should say:
Finally, note that it is an application decision which algorithms may be used in a given context. Even if a JWT can be successfully validated, unless the algorithms used in the JWT are acceptable to the application, it MUST reject the JWT.
A vulnerability exists in certain implementations in the wild where applications simply look for valid JWT tokens which includes the "none" algorithm (https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a). A fairly popular library is auth0's java-jwt and at verification (https://github.com/auth0/java-jwt/blob/master/lib/src/main/java/com/auth0/jwt/JWTVerifier.java) quite reasonably you cannot initialize the class without an algorithm. Given all capital SHOULD may be interpreted as a recommendation and as this RFC dictates the algorithm "none" MUST be implemented as a default algorithm under Section 8, one could argue JWTVerifier in the example doesn't have to verifyAlgorithm leading to the vulnerability pointed out in the first article while still complying by the specification. There is no good reason why an algorithm unacceptable to the application must not be rejected as it does more harm than good and all popular library implementations interpret it as such.