Decoding JWT Tokens Without Secrecy

Question

Decoding JWT Tokens Without Secrecy

I created a token with the JWT private key, but when I try to decode it at http://kjur.imtqy.com/jsjws/tool_jwt.html , I find that the token can be decoded without specifying a key. Is it right that a JWT token is just a signing? How to save a token from decoding without a key?

+6

jwt

user440446 Jul 14 '15 at 7:08

source share

1 answer

Hans z. · Accepted Answer · 2015-07-14T09:40:01+0000

There are two ways to use JWT public / private keys: signature and encryption.

If you use the private key for signing, it allows the recipient to identify the sender of the JWT and the integrity of the message, so as not to hide its contents from others (confidentiality). Note that this will be the sender's secret key, which is used to sign the JWT and create the JSON Web Signature (JWS) object. Apparently this refers to the JWT you are looking at.

When using a public key for encryption, it can be used to hide content from anyone other than the intended recipient. The result is a JSON Web Encryption object. Please note that this will be the recipient’s public key, which is used to encrypt the JWT. Apparently, this is what you are looking for.

See: http://jose.readthedocs.org/en/latest/

Decoding JWT Tokens Without Secrecy

More articles: