If you use "none", anyone can forge a JWT that says anything. I always say:
* You should have some other way of verifying that the JWT was unchanged by the client, like say being on a private network or using client TLS certs
and
* You should benchmark and know that the signing overhead is a significant source of performance degradation in your system.
Otherwise, sign your JWTs! :)
If you use "none", anyone can forge a JWT that says anything. I always say:
* You should have some other way of verifying that the JWT was unchanged by the client, like say being on a private network or using client TLS certs
and
* You should benchmark and know that the signing overhead is a significant source of performance degradation in your system.
Otherwise, sign your JWTs! :)