-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a better API for decoding a token without signature validation #401
Comments
Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly |
It is useful as a client using the token to be able to see what claims are inside the token. |
Well you can't really trust any of the things you see in the claims unless you validate the signature |
Sure, but I'm the client. I don't have access to the server's secret key. |
Today, I encountered the same issue. It would be nice if we could make this easier. Here is the scenario:
I tried the solution provided by @tyilo , but I failed to decode without the audience validation step. I used this option to disable it: let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();
validation.validate_aud = false; For example in typescript this package provide more or less what I need: node-jsonwebtoken |
You are totally right, it makes no sense to not be able to decode JWT in the client side, this function is pretty simple and supported by most of the other JWT libraries I had to face. When this library is used on a server side it totally makes sense to force the validation as it is basically how JWT works. There is really no real benefit in not implementing this feature and the author is asking for the impossible, we cannot use this library without those workarounds. |
Currently you have to use:
I think the following API would be better:
You avoid having to choose a random algorithm and decoding key that isn't ever used.
The text was updated successfully, but these errors were encountered: