How to verify subject field when using JWT auth over Prosody?


Would it be possible to enforce “sub” field verification when using JWT authentication over Prosody? We have two different deployments with the common “app_secret”, hosted on the same domain (e.g. “blahcom”), but on the different sub-domains (lets say “ablahcom” and “bblahcom”), unfortunately JWT token appears to be working for both deployments, authentication succeeded on both servers.

No answer here, I’d consider this as a security flaw

Have you enabled enable_domain_verification in your deployment?

1 Like