JWT: Can see token contents without payload

[venkytt]

Hello

The documentation is not very clear when it comes to my understanding of the following.

Consider a JWT token is created in nodejs:

token() {
const payload= {
exp: moment()
.add(jwtExpirationInterval, "minutes")
.unix(),
iat: moment().unix(),
sub: this._id
};
return nJwt.create(playload, jwtSecret,"HS256").compact();
},

Now, without the "jwtSecret", I am able to see the "payload";

So, there is something wrong in my encoding, right? OR Is the secret key used ONLY to verify the payload?

many thanks

[nbarbettini]

Yes, the key is only used for verification. JWTs are _encoded_ but not _encrypted_, so they should not be used when the contents need to be protected against eavesdropping. There is another standard called JWE which does encrypt the contents of the payload, but it is more complicated and isn't used as often.

…

On Sat, Dec 7, 2019, 01:59 venkytt ***@***.***> wrote: Hello The documentation is not very clear when it comes to my understanding of the following. Consider a JWT token is created in nodejs: token() { const payload= { exp: moment() .add(jwtExpirationInterval, "minutes") .unix(), iat: moment().unix(), sub: this._id }; return nJwt.create(playload, jwtSecret,"HS256").compact(); }, Now, without the "jwtSecret", I am able to see the "payload"; So, there is something wrong in my encoding, right? OR Is the secret key used ONLY to verify the payload? many thanks — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#22?email_source=notifications&email_token=ABZNI2QGHFVSIZ6ZPWEGDYLQXNXZXA5CNFSM4JXKWTPKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H62ARQA>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZNI2SGC7OV6ZHH4SMY3VLQXNXZXANCNFSM4JXKWTPA> .

[venkytt]

What I love about this library is that it works across platforms, across programming languages, etc.! Kudos!!!!

I experimented with a bunch of different encryption mechanisms but between different programming languages, I get lost!

I have a simple question. Today, jsonwebtoken encrypts the digital signature and that works across, everywhere. How do I access just that function in node/java/php? What I would like to do is encrypt my existing payload using that, and then send that as as the jwt token.

Should work, right?

Many thanks in advance!

[nbarbettini]

@venkytt Glad it's useful for you!

Just to be clear - JWTs are not encrypted. Any data contained in them is visible to everyone. They use base64 encoding: https://www.base64decode.org/
All popular programming languages have a way to base64 encode/decode a string.

If you need to encrypt data (so that no one else can read it), you need to use a different mechanism, like AES: https://codeforgeek.com/encrypt-and-decrypt-data-in-node-js/

[venkytt]

Hello Nbarbettini

Yes, I FULLY understand your view. Thanks.

Today, JWT uses the secret to encode and decode (possibly encrypt). How can I just access this functionality in PHP, Node, and Java? Is that possible?

The reason I ask is that it is working across programming languages already, so I don't have to try anything else

Thanks again

[nbarbettini]

Today, JWT uses the secret to encode and decode

JWTs don't use the secret to do encoding and decoding. The secret is used for creating a signature to verify that the contents have not been tampered with. You can make JWTs without a secret and signature just fine (although tools like jsonwebtoken.io aren't built for that).

The actual encoding is base64. If you just want to base64 encode data, you don't need to use a JWT library, you can use a library like: https://www.npmjs.com/package/nodejs-base64 (in Node)

If you want to build a JWT with a header and payload, use a library like: https://github.com/jwtk/njwt (also in Node). For example,

var nJwt = require('njwt');
var secureRandom = require('secure-random');

var signingKey = secureRandom(256, {type: 'Buffer'}); // Create a highly random byte array of 256 bytes

var claims = {
  iss: "http://myapp.com/",  // The URL of your service
  sub: "users/user1234",    // The UID of the user in your system
  someData: "hello there",
  someMoreData: "buffalo buffalo buffalo",
  foo: 1234
}

var jwt = nJwt.create(claims,signingKey);