[keycloak-dev] Critical vulnerabilities in JSON Web Token libraries
Marek Posolda
mposolda at redhat.com
Fri Apr 3 03:43:55 EDT 2015
It seems to me that we are not vulnerable to this. We're using
RSATokenVerifier everywhere and only allowed algorithms are the RS256,
RS384, RS512. And for all of them, attacker would need realm private key
to sign the token.
Marek
On 2.4.2015 20:54, Pedro Igor Silva wrote:
> FYI,
>
> https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
>
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list