Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a better API for decoding a token without signature validation #401

Open
tyilo opened this issue Aug 26, 2024 · 6 comments
Open

Comments

@tyilo
Copy link

tyilo commented Aug 26, 2024

Currently you have to use:

// Algorithm can be arbitrarily chosen
let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();

// Key can be arbitrarily chosen
let key = DecodingKey::from_secret(&[]);
let payload = jsonwebtoken::decode::<Claims>(token, &key, &validation).unwrap();

I think the following API would be better:

let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::<Claims>(token, &validation).unwrap();

You avoid having to choose a random algorithm and decoding key that isn't ever used.

@Keats
Copy link
Owner

Keats commented Aug 26, 2024

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

@tyilo
Copy link
Author

tyilo commented Aug 26, 2024

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

It is useful as a client using the token to be able to see what claims are inside the token. exp can be really useful.

@Keats
Copy link
Owner

Keats commented Aug 27, 2024

Well you can't really trust any of the things you see in the claims unless you validate the signature

@tyilo
Copy link
Author

tyilo commented Aug 27, 2024

Well you can't really trust any of the things you see in the claims unless you validate the signature

Sure, but I'm the client. I don't have access to the server's secret key.

@pooriatgh
Copy link

Today, I encountered the same issue. It would be nice if we could make this easier. Here is the scenario:

  1. I need to decode the token, look into the claims without validation, and extract the issuer's name.
  2. Use the issuer's name to find the correct public key file from a list of public keys I have.
  3. Use the key to perform the verification/validation.

I tried the solution provided by @tyilo , but I failed to decode without the audience validation step. I used this option to disable it:

let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();
validation.validate_aud = false;

For example in typescript this package provide more or less what I need: node-jsonwebtoken

@ppamorim
Copy link

Well you can't really trust any of the things you see in the claims unless you validate the signature

Sure, but I'm the client. I don't have access to the server's secret key.

You are totally right, it makes no sense to not be able to decode JWT in the client side, this function is pretty simple and supported by most of the other JWT libraries I had to face. When this library is used on a server side it totally makes sense to force the validation as it is basically how JWT works.

There is really no real benefit in not implementing this feature and the author is asking for the impossible, we cannot use this library without those workarounds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants