Reputation: 1660
JWT token signature validation javascript
I was making a javascript client that connects to an Api using JWT tokens. On the server side there are no problems, I can create the token sign it and later verify the signature en thus ensure that nobody tampered with the token.
But how do I do this on the client side. I can just decode the JWT token and see the header, payload and signature. But how do i verify the signature at the client site? Are there libraries for this, how do I transfer the public key to the client?
If I do not verify the signature how can I know the token is not tampered with?
Upvotes: 6
Views: 8252
Answers (3)
Reputation: 23
This type of work-around comments are the reason why I don't trust "libraries" written by others.
JWT.io has reported that many of the libraries that are widely available have security vulnerabilities.
RFC 7519 clearly states that the application MUST validate the token signature and if its signature is not valid, you MUST discard it.
Upvotes: 0
Reputation: 39241
if I do not validate the signature at the client side how can I ensure that the token is indeed from the server.? Maybe there is somebody in the middle who is changing the token
Signature validation does not avoid a Man In The Middle attack. An attacker could sniff the channel to capture credential or alter messages even using valid tokens
Use a SSL/TLS channel (https)
If I do not verify the signature how can I know the token is not tampered with?
A token provided by a TLS trusted server is probably valid.(it could has been altered in local storage). You can validate the signature. This operation is usually done in server side( see @sakuto answer), but you can do it in the browser perfectly
But how do i verify the signature at the client site?
These are the steps
- Download the public key from a trusted server
- extract the signature from JWT and decode it( base64url)
- verify the digital signature using a cryptographic library
I suggest to use the Webcrypto. See an example of RSA import key an validation here: https://github.com/diafygi/webcrypto-examples/blob/master/README.md#rsassa-pkcs1-v1_5
Upvotes: 5
Reputation: 5039
You are usually not doing verification on client-side, nor storing important data on the token. Every control and permission are checked on the back-end. Meaning that even if the user tamper its token, he won't able to pass the back-end control, only possibly seeing one more option on the front.
Upvotes: 2
Related Questions
- How to validate a JWT token
- Authorization token Bearer through javascript security
- JWT token validation on each request?
- Verifying jwt tokens [rsa]
- Verify JWT on browser
- How to use a JWT token as login validation?
- NodeJS JWT token verification
- JWT Signature Validation
- Authentication with JWT
- JSON Web Tokens (JWT) - Validate Client