Menu
jsonwebtoken, v8.5.0
node v10.13.0
npm 6.4.1
If i create a token several times with:
jwt.sign({ user_email: user_email, user_id: user_id, username: username }, 'RESTFULAPIs')
Question 01:
It seems the first 2 parts of the string are always the same (the base64 encoded header and payload values), but the third part (the signature) is different.
Why is the signature different when the original values are the same?
What I've Tried:
I have read the signature section at jwt.io/introduction:
To create the signature part you have to take:
- the encoded header
- the encoded payload
- a secret
- the algorithm specified in the header
and sign that.
So, as a guess:
Is the signature the result of encrypting the base64 encoded header and payload values using the HS256 algorithm and secret, which in this case is the string RESTFULAPIs, which produces a different result each time it is encrypted, whilst the decoded result is always the same?
Question 02:
The decoded value of the different tokens is always the same, except for an object property called iat. What does that property represent?
{
iat: 1561358034
user_id: "25423537fshsdgA"
user_email: "[email protected]"
username: "bob"
}
{
iat: 1561358156
user_id: "25423537fshsdgA"
user_email: "[email protected]"
username: "bob"
}
Actually, after researching this second question more, I came across this:
The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
Source: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6
423
Some JWT’s can also be created without a signature or encryption. Such a token is referred to as unsecured and its header should have the value of the alg object key assigned to as ‘none’. The payload is the part of the JWT where all the user data is actually added.
JWT stand for JSON Web Token. It is a… | by Muhammad Danyal | DataSeries | Medium JWT stands for JSON Web Token. It is a security validation mechanism widely used now a day. JWT is basically a string of random alphanumeric characters. There are three parts of a JWT separated by dots, header, payload, and signature.
JWT is basically a string of random alphanumeric characters. There are three parts of a JWT separated by dots, header, payload, and signature. A JWT looks like this
To ensure integrity, information contained in the token is signed by a private key, owned by the server. When the server gets the token back from the client, it just has to compare the signature sent by the client with the one it will generate with its private key. If the signatures are identical, the token is then valid.
Per the docs:
Generated jwts will include an
iat(issued at) claim by default unlessnoTimestampis specified. Ifiatis inserted in the payload, it will be used instead of the real timestamp for calculating other things likeexpgiven a timespan inoptions.expiresIn.
So, you could test generating multiple jwts in the same second (which would therefore have the same iat) and verify that the signature is the same. Or, use the noTimestamp option, which would eliminate the iat and therefore make the payloads identical. I don't think this is the recommended way to do it.
But in short, iat is "issued at" as you've answered yourself, and the payload (and therefore the signature) is going to change every second as the inserted iat changes, per the docs I've quoted for you.
56
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
