Menu
Is there any way to know if a JSON Web Token was tampered with or not. For example, the body was changed or the expiry time was changed, etc.
I've tried reading the RFC of JWT but the language is somewhat a little high level to me.
983
From Wikipedia:
JWTs generally have three parts: a header, a payload, and a signature. The header identifies which algorithm is used to generate the signature, and looks something like this:
header = '{"alg":"HS256","typ":"JWT"}'
The signature is calculated by base64url encoding the header and payload and concatenating them with a period as a separator:
To put it all together, the signature is base64url encoded.
So... you take the signature of the token, decode it from base64, take the encryption algorithm from the header and generate the signature for the base64 encoded header + '.' + base64 encoded payload. If the signature you calculated and the signature you received match, then most likely nobody tampered with the JWT.
80
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
