decode jwt token - is it secure?

Question

Have setup a test server with express, socket.io and a token-based authentication with jwt

Have looked at this tutorial https://auth0.com/blog/2014/01/15/auth-with-socket-io/

On the server-side the tutorial logs the decoded token

console.log(socket.handshake.decoded_token.email, 'connected');

But when I try to log socket.handshake.decoded_token the variable is undefined.. socket.handshake doesn't contain any variables with the decoded token

So.. I tried to google how to decode the token and found this page https://developers.google.com/wallet/digital/docs/jwtdecoder

I pasted the public token and the script decoded the token without the jwtSecret!? Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!?

The public token which is returned to the client as authentication

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8

Answer 1

It's about weather you trust the issuer of token to provide claims being held by token it self. Anyone can decode it, also anyone can encode the exact same json payload, but only you can decide based on your secret key weather signature gets verified or not.

So in a potential breach scenario of you dropping your jwt secret somewhere, you should be able to change secret and basically invalidate all issued tokens with that secret.

Answer 2

The token is not encrypted, just encoded.

The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with.

Here's a decent (and short) writeup that explains that in a bit more detail