Allow for JwtConsumer to not do verification key resolution when alg is none
Issue #95
closed
Allow for JwksVerificationKeyResolver, HttpsJwksVerificationKeyResolver, etc. to not look at the keys and just have a null key when alg is none.
The error message when alg is none from JwksVerificationKeyResolver and HttpsJwksVerificationKeyResolver isn't great and it'd be more efficient to not be looking at the keys in that case.
Needs to be done as an opt-in option to avoid risk of introducing issues in upgrade. AlgorithmConstraints should be in place when none is not acceptable but some users might be relying on the VerificationKeyResolver.
Comments (5)
-
reporter -
reporter - changed title to Allow for JwtConsumer to not do key resoltion when alg is none
- edited description
-
reporter -
reporter - changed status to resolved
-
reporter - changed status to closed
released with jose4j-0.5.6 on May 12, 2017
- Log in to comment
or maybe put it in the JwtConsumer itself ...