Reputation: 2033
how do i know if a json web token is tampered with or not
Is there any way to know if a JSON Web Token was tampered with or not. For example, the body was changed or the expiry time was changed, etc.
I've tried reading the RFC of JWT but the language is somewhat a little high level to me.
Upvotes: 4
Views: 4550
Answers (1)
Reputation: 1857
From Wikipedia:
JWTs generally have three parts: a header, a payload, and a signature. The header identifies which algorithm is used to generate the signature, and looks something like this:
header = '{"alg":"HS256","typ":"JWT"}'
The signature is calculated by base64url encoding the header and payload and concatenating them with a period as a separator:
To put it all together, the signature is base64url encoded.
So... you take the signature of the token, decode it from base64, take the encryption algorithm from the header and generate the signature for the base64 encoded header + '.' + base64 encoded payload. If the signature you calculated and the signature you received match, then most likely nobody tampered with the JWT.
Upvotes: 8
Related Questions
- Why should I leave JSON Web Token payload nonencrypted?
- Json Web Token JWT
- JsonWebToken publicly readable?
- Are Json Web Tokens secure enough? And how to secure payload?
- Correct usage of JSON Web Tokens
- How to validate Json Web Token and extract details
- How to validate and decode a JWT created by an asp.net Web-Api in JavaScript
- Can a Json Web Token be faked or impersonated?
- Can anybody decode a JSON Web Token (JWT) without a secret key?
- JSON Web Tokens (JWT) - Validate Client