The auth0 blog recommends an incomplete mitigation.

The correct fix is to never trust the header for which algorithm you're using.

https://infosec.exchange/@sophieschmieg/115132001021790785