Reputation: 7247
Do we need to validate JSON Web Token at client/consumer?
I am studying a bit about JSON Web Token. I understood that header+claims get signed by a secret key and the encoded result gets concatenated to "header.claims.signature" and finally sent back to client.
I have some basic doubts:
- Do we need to validate the token at client/consumer (once it receives from server, for sake of authenticity)? Is it a standard at all or not necessary? Any example for reference on this?
- If the client needs to validate the token, I guess it has to know the secret key to decrypt/decode. Is there any other way to ask client validate on its own without sharing server's secret key?
- If client knows the secret key, I guess it can create its own token too. If such is the case, do the server need to accept such tokens (or is application/business dependent?)
Upvotes: 4
Views: 1789
Answers (1)
Reputation: 22555
Do we need to validate the token at client/consumer
On client side you usually don't validate the token. Treat it just as an opaque token. Keep it safe and use it when making requests to the server.
If the client needs to validate the token, I guess it has to know the secret key to decrypt/decode. As mentioned above, the client doesn't need to validate the token.
In any cases in which the authentication server (the instance that authenticates the user and issues the token) and the resource server (the instance that owns a proteceted resource and requires a token for authorization) are not the same, signing and validation of the token is usually done with asymmetric algorithms like RS256 in which the private key is used to sign the token and only known by the authentication server, and the public key is used to verify the signature.
If client knows the secret key, I guess it can create its own token too. If such is the case, do the server need to accept such tokens (or is application/business dependent?)
That's why a client should not know the secret key. When symmetric key algorithms (e.g. HS256), in which the same key is used to sign and verify a signature are used, you can't allow the client to know the key, as it could be abused to create a fake token. Then JWT would be pointless. For asymmetric keys, there's no risk if the client knows the public key.
Upvotes: 2
Related Questions
- When to validate JWT
- Do JSON-Web Tokens (JWTs) cover both authentication and authorization?
- Do I need to validate JWT tokens in asp.net core 2 REST API?
- JWT / JSON Web Token: Safe to pass the token in the body on creation?
- Correct usage of JSON Web Tokens
- Understanding JSON Web Token (JWT) in context of web authentication
- JSON Web Tokens & OAuth
- Json Web Token + User Authentication
- RESTful API and separate web application acting as client; do i have validate the token received during login on every page load?
- JSON Web Tokens (JWT) - Validate Client