Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Validate a jwt in angular?

Tags:

angular

jwt

Morning;

I have a question about JWT and Angular.

I am looking to make all transactions between my front app (developed with angular) and my backend service using jwt to ensure data integrity.

So how can the angular App check and validate the jwt message? I know that app must use secret key to validate the jwt data but the problem where should I keep the secret key in angular app? Or I have to assume that the jwt is valid in all cases?

Cordially

like image 653
Adouani Riadh Avatar asked Jan 18 '18 15:01

Adouani Riadh


2 Answers

The fact is your secret key is server-side. Express JWT package does a great job.

What you do client side is to check for it's validity.

You could use an Interceptor to check for integrity on each HTTP request: Official docs on Interceptors

Then on each request you would validate the JWT based on what you actually set server-side. And then you handle your cases when the actual token is valid or invalid.

Here's a link to Angular 2 JWT package

like image 80
t3__rry Avatar answered Oct 13 '22 01:10

t3__rry


It depends on how you are using the JWT. Normally, the signature is validated on the server when the JWT is sent back with each request (in a cookie or in the Authorization header). This is to validate that the JWT has not been altered. However, sometimes it is good to validate the integrity of the JWT in the client if the client needs to use claims in the JWT.

If the JWT was signed using a secret key, having it in the client puts the secret at risk of exposure - particularly when using a browser-based client such as Angular. If the secret is compromised, it can then can be used to alter and sign a JWT with changes made.

If the JWT needs to be validated in the client, you should use a private/public key pair to sign and validate, respectively, the JWT. Having the public key in the client to validate the JWT's signature does not pose a security risk. As it's name suggest, the public key is designed to be available to anyone.

The jsonwebtoken package can also be used to handle the signed and verifying of JWTs. A good website for help with JWT is jwt.io.

like image 29
Robert Brodie Avatar answered Oct 13 '22 01:10

Robert Brodie