Menu
I was making a javascript client that connects to an Api using JWT tokens. On the server side there are no problems, I can create the token sign it and later verify the signature en thus ensure that nobody tampered with the token.
But how do I do this on the client side. I can just decode the JWT token and see the header, payload and signature. But how do i verify the signature at the client site? Are there libraries for this, how do I transfer the public key to the client?
If I do not verify the signature how can I know the token is not tampered with?
614
Go to Dashboard > Applications. Go to the Settings view, and open Advanced Settings. Go to the Certificates view, locate the Signed Certificate field, and copy the Public Key. Navigate to the JWT.io website, locate the Algorithm dropdown, and select RS256.
Verifying a JWT To verify a JWT, the server generates the signature once again using the header and payload from the incoming JWT, and its secret key. If the newly generated signature matches the one on the JWT, then the JWT is considered valid.
if I do not validate the signature at the client side how can I ensure that the token is indeed from the server.? Maybe there is somebody in the middle who is changing the token
Signature validation does not avoid a Man In The Middle attack. An attacker could sniff the channel to capture credential or alter messages even using valid tokens
Use a SSL/TLS channel (https)
If I do not verify the signature how can I know the token is not tampered with?
A token provided by a TLS trusted server is probably valid.(it could has been altered in local storage). You can validate the signature. This operation is usually done in server side( see @sakuto answer), but you can do it in the browser perfectly
But how do i verify the signature at the client site?
These are the steps
I suggest to use the Webcrypto. See an example of RSA import key an validation here: https://github.com/diafygi/webcrypto-examples/blob/master/README.md#rsassa-pkcs1-v1_5
157
You are usually not doing verification on client-side, nor storing important data on the token. Every control and permission are checked on the back-end. Meaning that even if the user tamper its token, he won't able to pass the back-end control, only possibly seeing one more option on the front.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
