Our security testers identified that the "none" algorithm is accepted in the JWT header, meaning that a signature did not have to be provided and verified by the server
This means that a potential attacker can change the JWT payload, which may result in unfavorable actions on the API which is protected by the JWT Token
Steps to reproduce the issue
1- get a token for <domainname>
2- use token.dev to modify the JWT and set the algorithm as none (as below)
initial header
{
"typ": "JWT",
"alg": "RS256"
}
Modified header
{
"typ": "JWT",
"alg": "none"
}
3- Use the modified token to invoke the API
API Gateway OAuth Toolkit
Customer was using a custom JWK token
Detecting JWT TOKEN Tampering
Non-custom tokens (default) detect tampering, this is done with the Decode Json Web Token assertion validating the signature of an id_token.
When using custom TOKEN the Decode JSon Web Token assertion does not pick up tampering.
For this see the docs link for validating Custom id_tokens
Generate and Validate an ID Token