Provide a better API for decoding a token without signature validation

[tyilo]

Currently you have to use:

// Algorithm can be arbitrarily chosen
let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();

// Key can be arbitrarily chosen
let key = DecodingKey::from_secret(&[]);
let payload = jsonwebtoken::decode::<Claims>(token, &key, &validation).unwrap();

I think the following API would be better:

let mut validation = jsonwebtoken::Validation::insecure_without_signature_validation();
let payload = jsonwebtoken::insecure_decode_without_signature_validation::<Claims>(token, &validation).unwrap();

You avoid having to choose a random algorithm and decoding key that isn't ever used.

[Keats]

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

[tyilo]

Honestly, decoding a token without validating the signature is something that you shouldn't do most of the time so I do not particularly care about making it user friendly

It is useful as a client using the token to be able to see what claims are inside the token. exp can be really useful.

[Keats]

Well you can't really trust any of the things you see in the claims unless you validate the signature

[tyilo]

Well you can't really trust any of the things you see in the claims unless you validate the signature

Sure, but I'm the client. I don't have access to the server's secret key.

[pooriatgh]

Today, I encountered the same issue. It would be nice if we could make this easier. Here is the scenario:

1. I need to decode the token, look into the claims without validation, and extract the issuer's name.
2. Use the issuer's name to find the correct public key file from a list of public keys I have.
3. Use the key to perform the verification/validation.

I tried the solution provided by @tyilo , but I failed to decode without the audience validation step. I used this option to disable it:

let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.insecure_disable_signature_validation();
validation.validate_aud = false;

For example in typescript this package provide more or less what I need: node-jsonwebtoken

[ppamorim]

Well you can't really trust any of the things you see in the claims unless you validate the signature

Sure, but I'm the client. I don't have access to the server's secret key.

You are totally right, it makes no sense to not be able to decode JWT in the client side, this function is pretty simple and supported by most of the other JWT libraries I had to face. When this library is used on a server side it totally makes sense to force the validation as it is basically how JWT works.

There is really no real benefit in not implementing this feature and the author is asking for the impossible, we cannot use this library without those workarounds.

[Z3R0P4G3]

Any update on this? I have the same requirement as @pooriatgh.

[Nereuxofficial]

Would it be acceptable to hide that API behind a .dangerous function call similar to how rustls implements such things. If that would be an acceptable compromise i could create a MR for it.

[Keats]

I'd take a PR for something like jsonwebtoken::insecure_decode_without_signature_validation

[bombsimon]

This should be fixed now in #441 and can probably be closed.

[ysndr]

#441 disables validation entirely, i.e. no exp, nbf, etc. verification. Since all the validation primitives are pub(crate) only, those cant even be reused. IMO there should be a jsonwebtoken::dangerous::insecure_decode_with_validation too.

[Keats]

In practice there's no point validating a token where you don't validate the signature so that would be useless function to add.