Reputation: 2934
JsonWebToken publicly readable?
I am brand new in JWT world and I want to create an authToken for my react native app user.
However, I am not confortable let anyone read what is inside (for example, userMail, firstName, or maybe uniqueDeviceID).
For example, I create a JWT like that :
const authToken = jwt.sign(
{
firstname: "John",
mail: "[email protected]"
},
"mySecretSignature",
{ expiresIn: "1h" }
);
So I obtain a token. Great news ! However, I'm thinking "ok, mySecretSignature have to stay secret, to decode the JWT and get the information inside. However, when I paste the token on https://jwt.io/, it get ALL the informations in the payload, with or without ""mySecretSignature"".
I am wondering :
Is it possible to hide the payload, and make it only readable by me server (with the secret signature) ?
What is the point of a "secretSignature" if everyone can read your JWT ?
When I verify() on server side, I can not read the JWT if I do not provide the "secretSignature" (great news, no ?) BUT on JWT.io it works every time...
Upvotes: 2
Views: 598
Answers (2)
Reputation: 7624
To answer you queries
Is it possible to hide the payload, and make it only readable by me server (with the secret signature) ?
Well thats not how JWT token works. "JWT offers self-contained way for securely transmitting information between parties as a JSON object"
You can generate a token based on a secret key and use it to transfer Data.
You can read details of the token but to make any changes in Token you need the secret Key.
Thus adding security while transmitting information.
May be you can use any encryption and decryption algorithm for your usecase.
What is the point of a "secretSignature" if everyone can read your JWT ?
Any sensitive details shoulen't be added in Token. You can read guildelines here
When I verify() on server side, I can not read the JWT if I do not provide the "secretSignature" (great news, no ?) BUT on JWT.io it works every time...
Put it this way, On server side you try to verify JWT. And to verify that you need "secretSignature" without that JWT verification will fail.
You can use any Base64 decoder either in server side or any 3rd party site. You will be able to see the details same like seen on JWT.io
great news, no ? :)
eg: Try this site and decode your token it will work.
You should understand the difference.
You can always view Token details but can't modify details without "secretSignature"
Upvotes: 2
Reputation: 78
Check the photo. They already said the token is readable. So if you want to do not to readable, firstly encode your email or something. after this, put in payload. So This is the only way. Actually, the main purpose of authentication is to check the user has access or not. Jwt is also authentication but his extra feature is can pass the information via token but that information is not safe. Thanks.
Upvotes: 0
Related Questions
- JSON web token - password in the payload?
- Authorization token Bearer through javascript security
- Working on token authentication system and have a couple of questions about jsonwebtoken
- Json Web Token JWT
- how do i know if a json web token is tampered with or not
- Can a Json Web Token be faked or impersonated?
- authentication with jsonwebtokens in node.js
- JSON Web Token (JWT) Security
- Putting private data in JWT JSON web tokens
- JSON Web Tokens (JWT) - Validate Client