I think it's great to openly talk about these topics and specially in approachable ways for non-security experts, like myself too. If we're going to disable security checks it's important to understand the consequences/risks. It makes you second guess yourself when it's everyone but you that wants these checks in place 😅
JWTs are signed, that means you can be (reasonably) certain that nobody tinkered with their content.
💯
However, they are not encrypted (just base64 encoded), so they do NOT ensure that a third party attacker can't read their content and steal information this way.
True that they're not encrypted, but the JWT travels through the HTTPS request so I think I'm comfortable with that. I believe the choice of using POST for the callback by the teams at Apple was for a reason (not "just because"). I just don't know enough about the vulnerabilities in these protocols to explain why.
I think it's great to openly talk about these topics and specially in approachable ways for non-security experts, like myself too. If we're going to disable security checks it's important to understand the consequences/risks. It makes you second guess yourself when it's everyone but you that wants these checks in place 😅
💯
True that they're not encrypted, but the JWT travels through the HTTPS request so I think I'm comfortable with that. I believe the choice of using POST for the callback by the teams at Apple was for a reason (not "just because"). I just don't know enough about the vulnerabilities in these protocols to explain why.
If only they wrote documentation about it :-P