Reputation: 1535
Adding data to JWT from the client-side
I'm new using JWTs. I have an API that generates a JWT for the clients to be authenticated for further requests. My JWT has a property that returns the user id:
{
jwt: {
exp: "2017-12-12 00:00:00",
data: {
user_id: 491
}
}
}
My question is if the client can decode the JWT generated by the API and add a new property into the data field, like this:
{
jwt: {
exp: "2017-12-12 00:00:00",
data: {
user_id: 491,
status: 1
}
}
}
Or, if I can generate the JWT from the API auth system with the status field set to a default value and then the client could change it.
Thank you.
Upvotes: 2
Views: 8824
Answers (3)
Reputation: 888
In the latest Version of JWT Auth
$token = JWTAuth::claims(['account_id' => $account->id])->fromUser($user);
to data from token :
$payload = JWTAuth::getPayload();
$accountId = $payload->get('account_id');
in the preview version of JWT auth
$token = JWTAuth::fromUser($user, ['account_id' => $account->id]);
to data from token :
$payload = JWTAuth::getPayload(JWTAuth::getToken());
Upvotes: 1
Reputation: 130927
In other words, you want to tamper with your JWT token and you cannot do it without invalidating the token.
The signature is calculated over the header and over the payload. The token issuer (the server) checks the signature to verify that the content has not been changed along the way.
Upvotes: 3
Reputation: 18939
The client can do that, but it would make the token invalid. When you change the content of the payload, e.g. add another field or change its content, the signature of the token no longer matches. When the API receives a token with invalid signature it should reject the token. Imagine if you had a field called isAdmin and the client could change it from false to true. It would make your authentication pointless; the client doesn't decide whether it's admin or not, the backend does.
When the token's payload changes the signature has to be remade. In order to sign the token, the client has to know the secret key (for H256). But the client shouldn't know the secret key.
So the answer is no, the client can't change the token.
You can read more about that here.
Upvotes: 14
Related Questions
- How to add data into JWT Token in ASP.NET Core?
- Should I return user data in an authentication endpoint using JWT?
- How to add user's information on a JWT?
- How to implement Json Web Token (JWT) effectively?
- How can I append data to an encrypted JWT token (JWE)?
- Should I use data contained in an authentication JWT on the client-side?
- Best Practice handling user data with JWT
- Putting private data in JWT JSON web tokens
- How to handle JWT secret key when decoding tokens clientside?
- JWT and server side token storage