Skip to content
This repository has been archived by the owner on Jul 9, 2021. It is now read-only.

JWT: Can see token contents without payload #22

Open
venkytt opened this issue Dec 7, 2019 · 5 comments
Open

JWT: Can see token contents without payload #22

venkytt opened this issue Dec 7, 2019 · 5 comments

Comments

@venkytt
Copy link

venkytt commented Dec 7, 2019

Hello

The documentation is not very clear when it comes to my understanding of the following.

Consider a JWT token is created in nodejs:

token() {
const payload= {
exp: moment()
.add(jwtExpirationInterval, "minutes")
.unix(),
iat: moment().unix(),
sub: this._id
};
return nJwt.create(playload, jwtSecret,"HS256").compact();
},

Now, without the "jwtSecret", I am able to see the "payload";

So, there is something wrong in my encoding, right? OR Is the secret key used ONLY to verify the payload?

many thanks
@nbarbettini
Copy link
Member

nbarbettini commented Dec 7, 2019 via email

@venkytt
Copy link
Author

venkytt commented Dec 19, 2019

What I love about this library is that it works across platforms, across programming languages, etc.! Kudos!!!!

I experimented with a bunch of different encryption mechanisms but between different programming languages, I get lost!

I have a simple question. Today, jsonwebtoken encrypts the digital signature and that works across, everywhere. How do I access just that function in node/java/php? What I would like to do is encrypt my existing payload using that, and then send that as as the jwt token.

Should work, right?

Many thanks in advance!

@nbarbettini
Copy link
Member

nbarbettini commented Dec 19, 2019
edited
Loading

@venkytt Glad it's useful for you!

Just to be clear - JWTs are not encrypted. Any data contained in them is visible to everyone. They use base64 encoding: https://www.base64decode.org/
All popular programming languages have a way to base64 encode/decode a string.

If you need to encrypt data (so that no one else can read it), you need to use a different mechanism, like AES: https://codeforgeek.com/encrypt-and-decrypt-data-in-node-js/

@venkytt
Copy link
Author

venkytt commented Dec 19, 2019

Hello Nbarbettini

Yes, I FULLY understand your view. Thanks.

Today, JWT uses the secret to encode and decode (possibly encrypt). How can I just access this functionality in PHP, Node, and Java? Is that possible?

The reason I ask is that it is working across programming languages already, so I don't have to try anything else

Thanks again

@nbarbettini
Copy link
Member

Today, JWT uses the secret to encode and decode

JWTs don't use the secret to do encoding and decoding. The secret is used for creating a signature to verify that the contents have not been tampered with. You can make JWTs without a secret and signature just fine (although tools like jsonwebtoken.io aren't built for that).

The actual encoding is base64. If you just want to base64 encode data, you don't need to use a JWT library, you can use a library like: https://www.npmjs.com/package/nodejs-base64 (in Node)

If you want to build a JWT with a header and payload, use a library like: https://github.com/jwtk/njwt (also in Node). For example,

var nJwt = require('njwt');
var secureRandom = require('secure-random');

var signingKey = secureRandom(256, {type: 'Buffer'}); // Create a highly random byte array of 256 bytes

var claims = {
  iss: "http://myapp.com/",  // The URL of your service
  sub: "users/user1234",    // The UID of the user in your system
  someData: "hello there",
  someMoreData: "buffalo buffalo buffalo",
  foo: 1234
}

var jwt = nJwt.create(claims,signingKey);

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nbarbettini @venkytt