解密JWT令牌没有任何秘密 [英] Decoding JWT tokens without the secret

问题描述

我通过JWT使用私钥创建了令牌，但是当我尝试在 http上对其进行解码时， ://kjur.github.io/jsjws/tool_jwt.html ，我发现无需提供任何密钥就可以对令牌进行解码.那么，JWT令牌仅仅是签名是正确的吗?如何防止令牌在没有密钥的情况下被解码?

I created a token with the private key by JWT, but when I try to decode it on http://kjur.github.io/jsjws/tool_jwt.html, I found that the token can be decoded without any key given. So is it correct that the JWT token is just a signing? How to keep the token from decoded without the key?

推荐答案

JWT可以通过两种方式使用公钥/私钥:签名和加密.

There are two ways in which a public/private keys can be used by a JWT: signing and encryption.

如果您使用私钥进行签名，则收件人可以使用它来标识JWT的发送者和消息的完整性，但不能对其他消息隐藏其内容(机密性).请注意，它将是发送者的私钥，用于对JWT进行签名并生成JSON Web签名(JWS)对象.显然，这适用于您正在查看的JWT.

If you use a private key for signing, it allows for the recipient to identify the sender of the JWT and the integrity of the message but not to hide its contents from others (confidentiality). Note that it would be the sender's private key that is used to sign the JWT and produce a JSON Web Signature (JWS) object. Apparently that applies to the JWT that you're looking at.

在使用公共密钥进行加密时，可以将其用于隐藏目标收件人以外的任何人的内容.结果是一个JSON Web加密对象.请注意，它将是用于加密JWT的收件人的公钥.显然，这就是您想要的.

When using a public key for encryption it can be used to hide content from anyone but the intended recipient. The result is a JSON Web Encryption object. Note that it would be the public key of the recipient that is used to encrypt the JWT. Apparently that is what you're looking for.

请参阅: http://jose.readthedocs.org/en/latest/

这篇关于解密JWT令牌没有任何秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！