Signing method missing: none #185
Comments
|
The "none" signing method is imo a misfeature of the standard, and we won't be implementing it in this library. It's just too easy to get it wrong and I've never heard a compelling use-case for it. |
|
This is the best I can do: if you need to log a JWT and later process log entries containing the JWT, perhaps you would mask some claims and remove the signature (i.e. sign it with method none). It's nice that it still parses correctly as a JWT. It's hardly compelling because who logs JWTs anyway? I wonder what uses for it they imagined when developing the standard because nearly everything I can think of is better with signed tokens. Nevertheless it's part of the standard, and I logged this issue because it was missing and impossible for users of this library to implement without a fork. By contrast, other libraries (such as https://github.com/dgrijalva/jwt-go) support pluggable signing methods. |
The signing method
noneis not implemented. The JWS and OpenID specifications define and usealg: none, but there is no support for it in this library.The text was updated successfully, but these errors were encountered: