You would think so, but even an authentication company screwed it up:
https://cybercx.co.nz/blog/json-web-token-validation-bypass-...
You would think so, but even an authentication company screwed it up:
https://cybercx.co.nz/blog/json-web-token-validation-bypass-...
Clearly trying to be too general. I wrote a tiny JWT validator before that only allows a very small subset of algorithms because I wasn't expecting the JWTs it would handle to have anything else, and obviously not "none".
Wow lol