If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user identities.
none
algorithm to sign or verify the validity of a token. Using jwtk/Java JWT library (to verify a signed token (containing a JWS) don’t use the
parse
method as it doesn’t throw an exception if an unsigned token is provided):
// Signing: io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed. .setSubject(USER_LOGIN) .compact(); // Verifying: io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant
Using auth0/Java JWT library:
// Signing: com.auth0.jwt.JWT.create() .withSubject(SUBJECT) .sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT. // Verifying: JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant .withSubject(LOGIN) .build();
Using Java JWT library (to verify a signed token (containing a JWS) use the parseClaimsJws
method that will throw an exception if an unsigned token is provided):
// Signing: Jwts.builder() // Compliant .setSubject(USER_LOGIN) .signWith(SignatureAlgorithm.HS256, SECRET_KEY) .compact(); // Verifying: Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant
Using auth0/Java JWT library. I
// Signing: JWT.create() .withSubject(SUBJECT) .sign(Algorithm.HMAC256(SECRET_KEY)); // Compliant // Verifying: JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Compliant .withSubject(LOGIN) .build();