Our security testers identified that the "none" algorithm is accepted in the JWT header, meaning that a signature did not have to be provided and verified by the server
This means that a potential attacker can change the JWT payload, which may result in unfavorable actions on the API which is protected by the JWT Token
Steps to reproduce the issue
1- get a token for <domainname>
2- use token.dev to modify the JWT and set the algorithm as none (as below)
3- Use the modified token to invoke the API
Customer was using a custom JWK token
Release : 10.0
Component : API GATEWAY
Detecting JWT TOKEN Tampering
Non-custom tokens (default) detect tampering, this is done with the Decode Json Web Token assertion validating the signature of an id_token.
When using custom TOKEN the Decode JSon Web Token assertion does not pick up tampering.
For this see the docs link for validating Custom id_tokens