is it safe to read the jwt token before validating it?
my colleagues are implementing a "check jwt for aud value and route accordingly". this means that:
- First payload is being read by the code of our application
- Then route to the correct validator
- Validate the token
- Load the payload in our application
I argue that this is unsafe, but I don't know how to prove it. any ideas?