0

is it safe to read the jwt token before validating it?

my colleagues are implementing a "check jwt for aud value and route accordingly". this means that:

  1. First payload is being read by the code of our application
  2. Then route to the correct validator
  3. Validate the token
  4. Load the payload in our application

I argue that this is unsafe, but I don't know how to prove it. any ideas?

ion
  • 103
  • 3

1 Answers1

1

It's as safe as all the routable destinations

Say, you have two backends: Prod and Dev; and the token contains a property env: prod or env: dev respectively. You first read the token payload, then route accordingly, and the backend then validates it.

In this scenario, if Prod validates correctly, but Dev doesn't validate at all, then the attacker can gain access to the dev environment.

However, if both environments were to validate the token correctly, there is no issue.

The important takeaway is that you have to be fully aware, that any information you read before validating the token is potentially bogus. Do not make any security-relevant decision based on the content of the JWT before validating it.