echo icon indicating copy to clipboard operation
echo copied to clipboard
verified publisher icon labstack

JWT Skip claim validation

Open aclowkey opened this issue 5 years ago • 4 comments

I was wondering if it's possible to skip claim validations in the JWT middleware. i.e. somebody sends with "alg":"HS256", but I don't want to check the signature

aclowkey avatar Aug 23 '20 08:08 aclowkey

No, currently it is not possible to skip signature checking. This would only make sense for testing, as the signature is part of JWT mechanism to ensure a valid token.

lammel avatar Sep 04 '20 09:09 lammel

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 07 '20 22:11 stale[bot]

On some infrastructure, it's the gateway/mesh to do this verification (like istio), microservice itself is dumb about authentication.

agravelot avatar Feb 19 '21 22:02 agravelot

This is probably resolved by PR #1756 , which allows to use a custom KeyFunc to handle key retrieval and signature validation. Please let us know if this works for you @aclowkey

lammel avatar Mar 09 '21 12:03 lammel