JWTs have 3 parts:
Is it possible to encrypt the payload? Following is my token's payload:
{
"iss": "joe",
"exp": "1300819380",
"data": {
"id": "12",
"userName": "PH",
"qntRed": "7",
"qntGrad": {
"1": "800",
"2": "858",
"3": "950",
"4": "745",
"5": "981"
}
}
If "qntGrad" contains sensitive data. Can I encrypt it using the secret key? Will it still be a valid JWT?
The signature can be generated by using both symmetric (HMAC algorithms) or asymmetric keys (RSA or ECDSA). Additionally JWT can carry encrypted data (JWE, RFC 7516) to protect sensitive data, although we won't see it in this study.
Signing and encryption orderJSON Web Tokens (JWT) can be signed then encrypted to provide confidentiality of the claims. While it's technically possible to perform the operations in any order to create a nested JWT, senders should first sign the JWT, then encrypt the resulting message.
JWT is a stateless session, so it does not need to be saved in a database in the server-side like cookies, it only exists in the client side. please notice that it is not encrypted it's just encoded which means you can use base64 decode and you will get the JSON object in clear.
A JSON Web Token (JWT, pronounced "jot") is a compact and url-safe way of passing a JSON message between two parties. It's a standard, defined in RFC 7519. The token is a long string, divided into different parts separated with dots, and each part is base64 encoded.
In fact there is not only signed JWT, but several technologies described by RFCs:
In your case, read the RFC7516 (JWE). These JWE have 5 parts:
Depending on your platform, you may find a library that will help you to create such encrypted JWT. Concerning PHP
, I am writing a library that is already able to load and create these jose.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With