-
Notifications
You must be signed in to change notification settings - Fork 4
JWT: Can see token contents without payload #22
Comments
Yes, the key is only used for verification. JWTs are _encoded_ but not
_encrypted_, so they should not be used when the contents need to be
protected against eavesdropping.
There is another standard called JWE which does encrypt the contents of the
payload, but it is more complicated and isn't used as often.
…On Sat, Dec 7, 2019, 01:59 venkytt ***@***.***> wrote:
Hello
The documentation is not very clear when it comes to my understanding of
the following.
Consider a JWT token is created in nodejs:
token() {
const payload= {
exp: moment()
.add(jwtExpirationInterval, "minutes")
.unix(),
iat: moment().unix(),
sub: this._id
};
return nJwt.create(playload, jwtSecret,"HS256").compact();
},
Now, without the "jwtSecret", I am able to see the "payload";
So, there is something wrong in my encoding, right? OR Is the secret key
used ONLY to verify the payload?
many thanks
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#22?email_source=notifications&email_token=ABZNI2QGHFVSIZ6ZPWEGDYLQXNXZXA5CNFSM4JXKWTPKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H62ARQA>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABZNI2SGC7OV6ZHH4SMY3VLQXNXZXANCNFSM4JXKWTPA>
.
|
What I love about this library is that it works across platforms, across programming languages, etc.! Kudos!!!! I experimented with a bunch of different encryption mechanisms but between different programming languages, I get lost! I have a simple question. Today, jsonwebtoken encrypts the digital signature and that works across, everywhere. How do I access just that function in node/java/php? What I would like to do is encrypt my existing payload using that, and then send that as as the jwt token. Should work, right? Many thanks in advance! |
@venkytt Glad it's useful for you! Just to be clear - JWTs are not encrypted. Any data contained in them is visible to everyone. They use base64 encoding: https://www.base64decode.org/ If you need to encrypt data (so that no one else can read it), you need to use a different mechanism, like AES: https://codeforgeek.com/encrypt-and-decrypt-data-in-node-js/ |
Hello Nbarbettini Yes, I FULLY understand your view. Thanks. Today, JWT uses the secret to encode and decode (possibly encrypt). How can I just access this functionality in PHP, Node, and Java? Is that possible? The reason I ask is that it is working across programming languages already, so I don't have to try anything else Thanks again |
JWTs don't use the secret to do encoding and decoding. The secret is used for creating a signature to verify that the contents have not been tampered with. You can make JWTs without a secret and signature just fine (although tools like jsonwebtoken.io aren't built for that). The actual encoding is base64. If you just want to base64 encode data, you don't need to use a JWT library, you can use a library like: https://www.npmjs.com/package/nodejs-base64 (in Node) If you want to build a JWT with a header and payload, use a library like: https://github.com/jwtk/njwt (also in Node). For example, var nJwt = require('njwt');
var secureRandom = require('secure-random');
var signingKey = secureRandom(256, {type: 'Buffer'}); // Create a highly random byte array of 256 bytes
var claims = {
iss: "http://myapp.com/", // The URL of your service
sub: "users/user1234", // The UID of the user in your system
someData: "hello there",
someMoreData: "buffalo buffalo buffalo",
foo: 1234
}
var jwt = nJwt.create(claims,signingKey); |
Hello
The documentation is not very clear when it comes to my understanding of the following.
Consider a JWT token is created in nodejs:
token() {
const payload= {
exp: moment()
.add(jwtExpirationInterval, "minutes")
.unix(),
iat: moment().unix(),
sub: this._id
};
return nJwt.create(playload, jwtSecret,"HS256").compact();
},
Now, without the "jwtSecret", I am able to see the "payload";
So, there is something wrong in my encoding, right? OR Is the secret key used ONLY to verify the payload?
many thanks
The text was updated successfully, but these errors were encountered: