When decoding a signed JWT token the algorithm and algorithms options should be made optional. The algorithm is already present in the JWT header, which makes setting it manually redundant. Furthermore the signing method used by a OAuth2.0/OpenID provider might be unknown to the user, which makes implementing token validation with ruby-jwt very difficult.
Current behavior:
algorithm or algorithms option is required when decoding a signed token
Desired behavior:
- algorithm should be set automatically from
alg in JWT header
For that purpose the method allowed algorithms can be changed to automatically add the algorithm from JWT to allowed ones: https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/decode.rb#L49
When decoding a signed JWT token the
algorithmandalgorithmsoptions should be made optional. The algorithm is already present in the JWT header, which makes setting it manually redundant. Furthermore the signing method used by a OAuth2.0/OpenID provider might be unknown to the user, which makes implementing token validation withruby-jwtvery difficult.Current behavior:
algorithmoralgorithmsoption is required when decoding a signed tokenDesired behavior:
algin JWT headerFor that purpose the method
allowed algorithmscan be changed to automatically add the algorithm from JWT to allowed ones: https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/decode.rb#L49