Reputation: 418
Not understanding JWT "Encryption"
I have JWT up and running in PHP and Angular Clients.
Everything works perfectly. But I'm still trying to understand something, security-wise, my Angular client doesen't know the key which was used to encrypt the JWT message in the server-side (PHP).
Then, why can it decrypt without it?
Shouldn't the key be important?
Upvotes: 0
Views: 653
Answers (1)
Reputation: 6086
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read the contents of the token, but when you don't know the private key, you can't change it. Otherwise, the receiver will notice that the signature won't match anymore.
additionally: You can go to jwt.io, paste your token and read the contents. This is jarring for a lot of people initially.
The short answer is that JWT doesn't concern itself with encryption. It cares about validation. That is to say, it can always get the answer for "Have the contents of this token manipulated"? This means user manipulation of the JWT token is futile because the server will know and disregard the token. The server adds a signature based on the payload when issuing a token to the client. Later on it verifies the payload and matching signature.
Please read belove links for more info.
en.wikipedia.org/wiki/JSON_Web_Token
Upvotes: 3
Related Questions
- Encrypting JWT payload
- Explanations on JWT Tokens structure
- JWT authentication concept
- Trouble understanding how JWTs are used with RSA (Man in the middle attack?)
- Confusion regarding JWT authorisation
- How does JWT Token Works?
- JWT encryption is normal?
- Understanding JWT
- How is security achieved with JWT encoding?
- How do JWTs Implement Public-key Cryptography?