解码jwt令牌-安全吗? [英] decode jwt token - is it secure?

问题描述

已使用express，socket.io设置了测试服务器，并使用jwt进行了基于令牌的身份验证

看过本教程 https://auth0.com/blog/2014/01/15/auth-with-socket-io/

在服务器端，本教程记录已解码的令牌

console.log(socket.handshake.decoded_token.email, 'connected');

但是当我尝试登录socket.handshake.decoded_token时，变量未定义.socket.handshake不包含带有已解码令牌的任何变量

所以..我尝试用Google搜索如何解码令牌并找到了此页面 https://developers.google.com/wallet/digital/docs/jwtdecoder

我粘贴了公共令牌，脚本在没有jwtSecret的情况下对令牌进行了解码！嗯...然后我在想..如果脚本可以在没有秘密的情况下对令牌进行解码，那么如何保证安全呢?

作为身份验证返回给客户端的公共令牌

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8

解决方案

令牌未经加密，仅经过编码.

用您的秘密建立的签名很重要，可以确保令牌未被篡改.

这是一个不错的(简短的)https://auth0.com/blog/2014/01/15/auth-with-socket-io/

On the server-side the tutorial logs the decoded token

console.log(socket.handshake.decoded_token.email, 'connected');

But when I try to log socket.handshake.decoded_token the variable is undefined.. socket.handshake doesn't contain any variables with the decoded token

So.. I tried to google how to decode the token and found this page https://developers.google.com/wallet/digital/docs/jwtdecoder

I pasted the public token and the script decoded the token without the jwtSecret!? Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!?

The public token which is returned to the client as authentication

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8

解决方案

The token is not encrypted, just encoded.

The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with.

Here's a decent (and short) writeup that explains that in a bit more detail

这篇关于解码jwt令牌-安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！