Menu
Is it possible to create JWT tokens without signature?
We have a case where we would not need the signature, but all the rest of the token would be needed. So is it possible to create the JWT token without the signature?
Based on the documentation, you create the token by:
var token = jwt.sign
command, so it kind of implies that the secret is compulsory.
887
But in contrast, the JWT specification also allows unsigned tokens. This supports use cases where a token's content is secured in other ways than a signature or encryption as part of the JWT. This tutorial shows you how to create unsigned JWTs and also how to authenticate requests containing an unsecured JWT.
The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. To create the signature, the Base64-encoded header and payload are taken, along with a secret, and signed with the algorithm specified in the header.
This error will be thrown if the JWT token is not signed by the same signing key provided in the authentication settings under the Realm signing key (secret) In this tutorial, we learned how we can create our own custom signing keys to authenticate JWT tokens and let users access our app.
Select HS256 as the signing algorithm. We could use RS256 if desired but the default JWT token creation in the project example uses HS256 (it can be easily configured to use RS256) Create a new Signing Key (secret name) and paste the signing key created in the previous step There are several ways to test the authentication method.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties.
JSON Web Token (JWT) is an open standard defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
According to RFC 7519:
To support use cases in which the JWT content is secured by a means other than a signature and/or encryption contained within the JWT (such as a signature on a data structure containing the JWT), JWTs MAY also be created without a signature or encryption. An Unsecured JWT is a JWS using the "alg" Header Parameter value "none" and with the empty string for its JWS Signature value, as defined in the JWA specification [JWA]; it is an Unsecured JWS with the JWT Claims Set as its JWS Payload.
Since you didn't mention which library you're using, I suppose you are using the one from auth0. Although I haven't tested it yet, it seems that setting algorithm to none, causes "No digital signature or MAC value":
var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'none'});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
