为什么我可以在jwt.io上轻松解码auth0 id_token? [英] Why can i easily decode auth0 id_token on jwt.io?
问题描述
好的,我正在开发Angular 2应用.我添加了auth0身份验证,但对我来说,它非常不安全地处理会话. jwt令牌未加密并保存在localStorage中.声明对任何人都是可见的,它们可以轻松解码和显示.更不用说,Web存储本身也不是一个安全的地方.
Okay, i'm developing an Angular 2 app. I've added auth0 authentication, but to me it handles sessions very insecurely. The jwt token is not encrypted and saved inside localStorage. The claims are visible for anyone, they can easily be decoded and revealed. Not to mention, Web Storage itself isn't a secure place.
我之所以选择JWT,是因为以后我想通过电子将这个Web应用程序转换为桌面应用程序,因此我不能使用Cookie会话.我的用户将拥有其他信息,例如角色,我不想在每个请求中都在db中查找这些信息,这就是为什么我想将它们存储在jwt中的原因.加密数据很有意义,但是auth0似乎没有提供该功能.
I'm opting for JWTs because later i want to transform this web app to desktop app with electron and so i cannot use cookie-sessions. My users will have additional information such as roles, which i don't want to look up in db on every request, that's why i would like to store them in jwt. It makes sense to encrypt the data, but auth0 doesn't seem to provide that function.
如果诸如角色之类的声明未受保护地存储在localStorage中,是什么使我无法进入Firefox控制台并更改令牌,例如使自己成为管理员?
If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?
推荐答案
如果诸如角色之类的声明未受保护地存储在localStorage中,是什么使我无法进入Firefox控制台并更改令牌,例如使自己成为管理员?
If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?
由于 JWT已签名,因此因此在验证期间会检测到内容或签名的任何更改
数字签名(如hhhhhh.ppppppp.ssssss这样的JWT令牌的第三部分)是使用服务器私钥创建的,它是您可以验证令牌发行者身份并且还没有被更改的方式
The digital signature, the third part of a JWT token like this hhhhhh.ppppppp.ssssss is created using server private key, and is the way you can verify the identity of the issuer of the token and also that it has not been altered
如果您想隐藏有效负载,则JWT规范允许使用加密(请参见Json Web Encryption-JWE,网址为 RFC ).如果auth0不支持它,则 jwt.io
If you want to hide the payload, the JWT specification allows use encryption (see Json Web Encryption-JWE at RFC). If auth0 does not support it, you have a lot of libraries listed in jwt.io
这篇关于为什么我可以在jwt.io上轻松解码auth0 id_token?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
