Advisories for Gem/Omniauth-Auth0 package

2020

Improper Verification of Cryptographic Signature

omniauth-auth0 improperly validates the JWT token signature when using the jwt_validator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. Impact is limited to the cases where you are using omniauth-auth0 and using the JWTValidator.verify method directly, or you are not authenticating using the SDK’s default Authorization Code Flow.