Critical vulnerabilities in JSON Web Token libraries - keycloak-dev - Jboss List Archives

2025

January

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Critical vulnerabilities in JSON Web Token libraries

broker mappers

initial PL SAML fork

Pedro Igor Silva

Thursday, 2 April 2015 Thu, 2 Apr '15

1:54 p.m.

FYI, https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-to... Regards. Pedro Igor

Reply

Show replies by date

Marek Posolda

Friday, 3 April Fri, 3 Apr

2:43 a.m.

It seems to me that we are not vulnerable to this. We're using RSATokenVerifier everywhere and only allowed algorithms are the RS256, RS384, RS512. And for all of them, attacker would need realm private key to sign the token. Marek On 2.4.2015 20:54, Pedro Igor Silva wrote:

FYI, https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-to... Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

Reply

Stian Thorgersen

Tuesday, 7 April Tue, 7 Apr

1:55 a.m.

Interesting attack, especially using the public key as hmac secret. Definitively worth considering if/when we add support for more algs ;) ----- Original Message -----

From: "Pedro Igor Silva" <psilva(a)redhat.com> To: "keycloak dev" <keycloak-dev(a)lists.jboss.org> Sent: Thursday, 2 April, 2015 8:54:17 PM Subject: [keycloak-dev] Critical vulnerabilities in JSON Web Token libraries FYI, https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-to... Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

Reply

3571

days inactive

3576

days old

keycloak-dev@lists.jboss.org

Manage subscription

2 comments

3 participants

tags (0)

participants (3)

Marek Posolda
Pedro Igor Silva
Stian Thorgersen