Skip to content

feat: support unsecured JWTs (alg: none, RFC 7519 s6.1)#459

Open
kimjune01 wants to merge 2 commits into
mike-engel:mainfrom
kimjune01:fix/unsecured-jwt-253
Open

feat: support unsecured JWTs (alg: none, RFC 7519 s6.1)#459
kimjune01 wants to merge 2 commits into
mike-engel:mainfrom
kimjune01:fix/unsecured-jwt-253

Conversation

@kimjune01

@kimjune01 kimjune01 commented May 12, 2026
edited
Loading

Copy link
Copy Markdown

Summary

  • Add support for decoding and encoding unsecured JWTs (alg: none) per RFC 7519 Section 6.1
  • Decoding: detect empty-signature JWTs and display them without requiring a secret
  • Encoding: add --algorithm none flag to produce unsecured tokens with empty signature
  • Display the correct alg header value for unsecured JWTs

Fixes #253

Test plan

  • New tests for encoding and decoding unsecured JWTs
  • Existing JWT tests pass unchanged

Failing tests before / Passing tests after / How the tests ran

Sweep attestation e89918ea4a89 — see the receipts footer below.

kimjune01 added 2 commits May 11, 2026 23:32
@kimjune01
feat: support unsecured JWTs with alg none (RFC 7519 Section 6.1) (mi…
a4c8ddd 
…ke-engel#253)

Encode with --alg none (no --secret required):
  jwt encode --alg none -P role=my-role

Decode unsecured JWTs (alg: "none" in header):
  jwt decode eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UifQ.

Bypasses jsonwebtoken library for the none case since it does not
support alg: none. Encoding produces header.payload. (empty sig).
Decoding parses base64url parts directly.
@kimjune01
fix: display correct alg header for unsecured JWTs
8cfbe55 
The jsonwebtoken::Header struct cannot represent alg: "none", so
decode_unsecured_token was using HS256 as a placeholder. This caused
decoded unsecured JWTs to display "alg": "HS256" instead of "alg": "none".

Fix by preserving the raw header JSON from unsecured tokens and using it
for display in print_decoded_token. Normal signed JWTs are unaffected.
@hiSandog

hiSandog commented Jun 27, 2026

Copy link
Copy Markdown

Supporting alg: none is useful for standards completeness, but it is worth making the unsafe nature very explicit in CLI help and examples. A good guardrail would be tests that decoding an unsecured token works without a secret, while encoding with --algorithm none is only possible when the user explicitly asks for that algorithm. That keeps the feature from being accidentally selected in normal signed-token workflows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unsecured JWT

2 participants

@kimjune01 @hiSandog