Reputation: 10869
Why is the signature part of a jwt token always different, even when created with the same values?
jsonwebtoken, v8.5.0
node v10.13.0
npm 6.4.1
If i create a token several times with:
jwt.sign({ user_email: user_email, user_id: user_id, username: username }, 'RESTFULAPIs')
Question 01:
It seems the first 2 parts of the string are always the same (the base64 encoded header and payload values), but the third part (the signature) is different.
Why is the signature different when the original values are the same?
What I've Tried:
I have read the signature section at jwt.io/introduction:
To create the signature part you have to take:
- the encoded header
- the encoded payload
- a secret
- the algorithm specified in the header
and sign that.
So, as a guess:
Is the signature the result of encrypting the base64 encoded header and payload values using the HS256 algorithm and secret, which in this case is the string RESTFULAPIs, which produces a different result each time it is encrypted, whilst the decoded result is always the same?
Question 02:
The decoded value of the different tokens is always the same, except for an object property called iat. What does that property represent?
{
iat: 1561358034
user_id: "25423537fshsdgA"
user_email: "[email protected]"
username: "bob"
}
{
iat: 1561358156
user_id: "25423537fshsdgA"
user_email: "[email protected]"
username: "bob"
}
Actually, after researching this second question more, I came across this:
The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
Source: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6
Upvotes: 9
Views: 6041
Answers (2)
Reputation: 1
If you want to have same signature as output every time, you can convert the object you passed in first argument to JSON first (like using JSON.stringify()) and pass that JSON as argument. Then the jwt.sign() method will return same signature every time as iat property is not created by default.
Passing a JavaScript object in jwt.sign() as first argument will return new signature every time. This is because the property iat is added by default in this case by javascript.
Upvotes: 0
Reputation: 7475
Per the docs:
Generated jwts will include an
iat(issued at) claim by default unlessnoTimestampis specified. Ifiatis inserted in the payload, it will be used instead of the real timestamp for calculating other things likeexpgiven a timespan inoptions.expiresIn.
So, you could test generating multiple jwts in the same second (which would therefore have the same iat) and verify that the signature is the same. Or, use the noTimestamp option, which would eliminate the iat and therefore make the payloads identical. I don't think this is the recommended way to do it.
But in short, iat is "issued at" as you've answered yourself, and the payload (and therefore the signature) is going to change every second as the inserted iat changes, per the docs I've quoted for you.
Upvotes: 11
Related Questions
- Always getting invalid signature in jwt.io
- JWT signature does not match locally computed signature
- Tried to verify JWT signature by myself in nodejs to understand internal working of JWT, but decrypted signature gives wrong value
- JWT Invalid signature from one website, but no errors with another. Extra properties of user object get added to token
- JWT Returns Invalid Signature Error Even When I enter the token in Authorization
- PHP JWT validating a secret key from a given token - why don't my 2 signatures match?
- JWT token is always invalid when verified
- For the same user, how is JWT's signature different after the user requests a new token?
- Why is a JWT signature not unique for a specific payload
- Node JWT library njwt verifies a token even though it differs from original