[keycloak-dev] Critical vulnerabilities in JSON Web Token libraries

Marek Posolda mposolda at redhat.com
Fri Apr 3 03:43:55 EDT 2015

It seems to me that we are not vulnerable to this. We're using 
RSATokenVerifier everywhere and only allowed algorithms are the RS256, 
RS384, RS512. And for all of them, attacker would need realm private key 
to sign the token.


On 2.4.2015 20:54, Pedro Igor Silva wrote:
> FYI,
>      https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list