The background for my question is a general authentication bypass described here:
I would like to know how to setup my token-based sync gateway config so that it’s not vulnerable to that kind of attack. I suspect that the signing_method setting is part of the solution, but I’d need to know more about it. Thanks.
Currently Sync Gateway only supports “RS256” JWTs in the OIDC implicit flow, and the vulnerability you linked cannot be exploited, as we’re never trying to verify anything other than an RSA tokens. Setting the “signing_method” config option doesn’t have any effect.
There is an issue filed to add HMAC/HS256 support. We could use the “signing_method” field in the config to enforce a signing algorithm on the Sync Gateway side after we add support for multiple types, but right now that is not necessary to be protected from the issue you linked.