Commit e04a6f19 authored by Clément OUDOT's avatar Clément OUDOT

Reject none algorithm when checking JWT signature (#1835)

parent f370255c
......@@ -19,7 +19,7 @@ use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_REDIRECT);
our $VERSION = '2.0.5';
our $VERSION = '2.0.6';
# OpenID Connect standard claims
use constant PROFILE => [
......@@ -768,7 +768,9 @@ sub verifyJWTSignature {
. " is present but algorithm is 'none'" );
return 0;
}
return 1;
$self->logger->debug(
"JWT algorithm is 'none', signature cannot be verified");
return 0;
}
if ( $alg eq "HS256" or $alg eq "HS384" or $alg eq "HS512" ) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment