from Hacker News

JSON Web Token Validation Bypass in Auth0 Authentication API

by mfincham on 4/15/20, 9:36 PM with 1 comments

• by rvz on 4/15/20, 9:50 PM

  > The Authentication API prevented the use of alg: none with a case sensitive filter. This means that simply capitalising any letter e.g. alg: nonE, allowed tokens to be forged.

  The option to have 'alg: none' should never be used as it is still the biggest footgun in the JOSE specification. I'm not sure why on earth you need a case-sensitive filter on this, but even giving the user a choice of ciphers to use is a recipe for disaster. Thus JWT is still a cryptographically weak standard.

  PASETO [0] or Branca [1] are cryptographically stronger alternatives to use over JWT here.

  [0] https://paseto.io [1] https://branca.io