我怎么能去在AngularJS一个JWT code使用公钥? [英] How can i decode in AngularJS a JWT with a public key?
问题描述
我要建总部设在智威汤逊与验证的AngularJS网站。当我顺利地登录到aplication,后端返回我一个JWT,这是存储在localStorage的。
我想收到的JWT索赔的用户的角色,但我读的localStorage令牌,因此,这可以简单地改性壳聚糖(例如:在使用Chrome浏览器开发工具)和恶意用户可以把假的角色在JWT
我如何使用公共密钥验证客户端的令牌?我asume的服务器的NodeJS利用其使用相应的私钥生成令牌JWT简单的
在此先感谢!
和恶意用户可以把假的角色在JWT
这是为什么的问题?恶意用户无法出示有效凭证W / O知道一个私钥和服务器根据下一个请求将验证JWT反正。
如果您想验证智威汤逊,以显示正确,也就是说,图形用户界面,你可以使用JS库的,例如 http://kjur.github.io/jsjws/ 。
I'm building an AngularJS site with authentication based in JWT. When I log successfully into the aplication, the backend returns me a JWT and this is stored in localStorage.
I want to receive the roles of the user in the JWT Claims, but I read the token from localstorage and therefore this can be simply modificated (e.g.: using chrome dev tools) and the malicious user can put fake roles in the JWT.
How i can verify the token in the client side using a public key?. I asume the NodeJS server generate the token using their corresponding private key using jwt-simple
Thanks in advance!
解决方案and the malicious user can put fake roles in the JWT
Why is that an issue? Malicious user cannot produce a valid token w/o knowing a private key and server will validate the JWT upon the next request anyway.
If you want to verify JWT in order to correctly show, say, GUI, you can use JS library for that, e.g. http://kjur.github.io/jsjws/.
这篇关于我怎么能去在AngularJS一个JWT code使用公钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
