[Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
This issue is an open question.
Today, in verifyJWTSignature
, we accept a JWT with none
algorithm, as this is a valid algorithm:
if ( $alg eq "none" ) {
# If none alg, signature should be empty
if ( $jwt_parts->[2] ) {
$self->logger->debug( "Signature "
. $jwt_parts->[2]
. " is present but algorithm is 'none'" );
return 0;
}
return 1;
}
But if there is no signature, I think we should not accept this JWT. If an admin need to allow none
, it means he does not want to verify signature.
From a security point of view, an attacker can modify a JWT to remove signature and change alg
to none
. In this case, our verification method will not detect the attack. It is not very risky in LL::NG, as the ID Token is not used as cookie value, so the attacker needs to inject the hacked ID Token between LL::NG RP and the OpenID Connect provider.
From my point of view, we should change the behavior of our verification method to refuse the none
algorithm. What do you think?