Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Decoding JWT tokens without the secret

Tags:

I created a token with the private key by JWT, but when I try to decode it on http://kjur.github.io/jsjws/tool_jwt.html, I found that the token can be decoded without any key given. So is it correct that the JWT token is just a signing? How to keep the token from decoded without the key?

like image 774
user440446 Avatar asked Jul 14 '15 07:07

user440446


People also ask

Can JWT be decoded without secret?

By design, anyone can decode a JWT and read the contents of the header and payload sections. But we need access to the secret key used to create the signature to verify a token's integrity.

Can I decrypt JWT token?

You can simply decode it with any base64 decoder.

Can you validate a JWT with a public key?

You can now verify the token using the public key. Use the code sample below to validate the JWT and get the user's information from the token. After validating the user, you get a user object containing information about the user.


1 Answers

There are two ways in which a public/private keys can be used by a JWT: signing and encryption.

If you use a private key for signing, it allows for the recipient to identify the sender of the JWT and the integrity of the message but not to hide its contents from others (confidentiality). Note that it would be the sender's private key that is used to sign the JWT and produce a JSON Web Signature (JWS) object. Apparently that applies to the JWT that you're looking at.

When using a public key for encryption it can be used to hide content from anyone but the intended recipient. The result is a JSON Web Encryption object. Note that it would be the public key of the recipient that is used to encrypt the JWT. Apparently that is what you're looking for.

See: http://jose.readthedocs.org/en/latest/

like image 190
Hans Z. Avatar answered Oct 02 '22 06:10

Hans Z.