Possibility to override the alg header when encoding tokens

[anakinj]

trafficstars

Currently it's not possible to override the alg header value using the header parameter. To me it seems intuitive not to touch the user specified values and just go with them.

Suggestion is to not to populate the alg header if that is already given by the user.

[codespearhead]

From what I understand this would be a massive security issue.

"The widest known issue is probably that the header allows for a[n] alg claim to specify which algorithm was used to sign the token. Bad implementations would (by default) use this claim to choose how to verify the token; which means an attacker could simply put "alg":"none" , claim to be the most super of admins, and the application would accept those claims and grant all the access." [Source]

[anakinj]

That would for sure be a big problem. Changed the subject to hopefully be a bit clearer what the scope is.

The intention here is to preserve the user defined alg value passed to the encoding logic. Currently the alg value is always taken from the used algorithm, but the user provided value could as well just be used.

For example:

JWT.encode(payload, key, 'HS256', header_fields={alg: 'CustomALG'})