I am facing issue while validating Okta token using JWTTokenValidator.
For ex token is :
eDue41r18EPlCG8JwTAxYAv15jfInh$$$$$$9hf6H6XBZYSradVOSk9A7wvwB3oJT-mlXT&&&&&&orwa3SIRffZCKunOUKiA******dyvlx0BQutl3YYdfuBzk4OlhqNlump@@@@@@JARQg
case 1 :
if I change here last character grater than ‘g’ i.e ‘h’ onwards till ‘z’ , then Jwt validation got success(i.e unexpectable result).
case 2 :
if i change last character less than ‘g’ i.e ‘a’ to ‘f’, then Jwt validation got failed (i.e correct validation)
Using Okta jwt verifier version: ‘0.5.0’
Obervations :
In case of 1 padding length is same for both the local and token then it is getting through the check and getting validated
In case of 2 padding length is same for both the local and token then it is getting through the check and getting validation failed and throwing the exception.
Possible Solutions tried:
a. JWT token validation issue - Auth0 Community
b. JWT token decoding even when the last character of the signature is changed
Questions raised for the above solution (b)
this solution suggest that it is algorithm specific
– If this is algorithm specific then how can we finalize on the Algorithm to be used and will arrival of new algorithm in future impact our algorithm ?
– Why this is not generic ?
Expectation:
Validation should fail for both case 1 and case 2. i.e if I replace any character in the token it should fail the validation