`DecodingKey` is validated even when disabling signature validation

[bombsimon]

Thanks for this module, really useful!

I've been using it to decode JWT tokens without verifying them because that's not important and any concern in this specific workflow. Up until v10.0.0 I've been able to pass any DecodingKey to any validation signature as long as signature validation has been turned off, something like this:

#[derive(Clone, Debug, serde::Deserialize)]
#[serde(rename_all = "camelCase")]
struct Claims {
    some_claim: String,
}

// Setting RS265 here to match the JWT
let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::RS256);
validation.validate_aud = false;
validation.insecure_disable_signature_validation(); // Disabling validation
                                                                           
// Easiest to create `DecodingKey` but this does _not_ match the signature (this is Hmac)          
let dummy_key = jsonwebtoken::DecodingKey::from_secret(&[]);

let decoded = jsonwebtoken::decode::<Claims>(token, &dummy_key, &validation)
    .expect("failed to read claims: {err}"))?;

Trying to run this code after v10.0.0 now results in InvalidKeyFormat since even though I'm not interested in verifying the signature we call jwt_verifier_factory which will create a verifier based on the header and pass the key which may contain a different algorithm.

One fix for this is to simply pass a dummy RSA key instead, either a static one generated with something like openssl genrsa 512 | openssl rsa -pubout, or pull in a dependency on openssl and use openssl::rsa::Rsa::generate().

Unless there is some other more idiomatic way to do this? Reading the pinned issue, my interpretation is that this library is strongly against not verifying tokens so maybe this is a very intentional decision and one step further away from simplifying decoding without verifying?

Thanks!

[Keats]

Hm it's probably a change that slipped in the huge crypto backend refactoring. I don't think we have a test for that.

[bombsimon]

Thanks for a swift reply!

Do you want me to look into it and PR a change? Maybe we could conditionally call jwt_verifier_factory and make verifying_provider optional in verify_signature, then we return the payload (claims) as is if validation.validate_signature is false and jwt_verifier_factory is None?

It would be a bit weird since key is required on decode but changing that would be breaking and also more or less the same as implementing the none-algo. Not really sure what's best here 🤔

[dsykes16]

This is blocking spiffe from updating as well. Implementing #401 would meet the requirements for SPIFFE.

[bombsimon]

Oh, my bad. I filed this as a breaking change since it changed in v10.0.0 and though it wasn't up for discussion given the note in #399. But it seems like this is actually something that could be merged.

I saw the issue had #418 linked to it but that isn't moving forward too much (and maybe wasn't the desired impl). If a new method is fine, I was thinking something like this (which I linked in the open PR as well).

[dsykes16]

This is also a blocker to the rust SPIFFE implementation updating to v10. The use-case is available here: https://github.com/maxlambrecht/rust-spiffe/blob/main/spiffe/src/svid/jwt/mod.rs#L243-L245 and https://github.com/maxlambrecht/rust-spiffe/blob/main/spiffe/src/svid/jwt/mod.rs#L165-L169

The sub is the SPIFFE ID, the SPIFFE ID contains the Trust Domain, and the Trust Domain determines which authority it's validated against because SPIFFE supports federation. So parsing claims before validation is required by any SPIFFE implementation. (https://spiffe.io/)

EDIT:
Apologies for the redundant double comment. I thought I never hit submit on the first one. Thankfully 4AM code quality is usually better than 4AM comment quality.

[bombsimon]

I'll close this since although this issue still holds true regarding regression in v10.0.0 I think the obvious fix and path forward is to use dangerous::insecure_decode landed in #441

Thanks for the quick turnaround and PR!