Would you consider changing the methods you expose so as to avoid common JWT mistakes? #704
oskarpearson
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Would you consider changing the methods you expose so as to avoid common JWT mistakes?
For context: In reviewing the code for the "keycloak gem" I found imagov/keycloak#33 (comment)
This sort of issue is, unfortunately, extremely common.
The concern I have is that the implications of supplying "false" to
JWT.decodearen't very clear to someone using this gem (ruby-jwt).It seems like if we had a "sensible baseline" method that did "the right thing" as the main interface for using this gem, and then had "clearly unsafe" ways of interacting with the gem when needing to get at the internals, it would help prevent this sort of foot-gun.
#528 and #433 have related discussions.
If one was to create the equivalent of https://libsodium.gitbook.io/doc for parsing and handling JWTs in ruby, what would it look like?
Beta Was this translation helpful? Give feedback.
All reactions