为什么我可以在 jwt.io 上轻松解码 auth0 id_token? [英] Why can i easily decode auth0 id_token on jwt.io?
问题描述
好的,我正在开发一个 Angular 2 应用程序.我添加了 auth0 身份验证,但对我来说它处理会话非常不安全.jwt 令牌未加密并保存在 localStorage 中.这些声明对任何人都是可见的,它们很容易被解码和显示.更不用说,网络存储本身并不是一个安全的地方.
Okay, i'm developing an Angular 2 app. I've added auth0 authentication, but to me it handles sessions very insecurely. The jwt token is not encrypted and saved inside localStorage. The claims are visible for anyone, they can easily be decoded and revealed. Not to mention, Web Storage itself isn't a secure place.
我选择 JWT,因为稍后我想将此 Web 应用程序转换为带有电子的桌面应用程序,因此我无法使用 cookie 会话.我的用户将拥有其他信息,例如角色,我不想在每次请求时都在 db 中查找这些信息,这就是我想将它们存储在 jwt 中的原因.对数据进行加密是有意义的,但 auth0 似乎没有提供该功能.
I'm opting for JWTs because later i want to transform this web app to desktop app with electron and so i cannot use cookie-sessions. My users will have additional information such as roles, which i don't want to look up in db on every request, that's why i would like to store them in jwt. It makes sense to encrypt the data, but auth0 doesn't seem to provide that function.
如果像角色这样的声明存储在不受保护的 localStorage 中,是什么阻止我去 firefox 控制台并更改令牌,例如让自己成为管理员?
If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?
推荐答案
如果像角色这样的声明存储在不受保护的 localStorage 中,是什么阻止我去 firefox 控制台并更改令牌,例如让自己成为管理员?
If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?
因为JWT 已签名,因此在验证期间将检测到对内容或签名的任何更改
数字签名,像这样的 JWT 令牌的第三部分 hhhhhh.ppppppp.ssssss 是使用服务器私钥创建的,是您验证令牌发行者身份的方式并且它没有被改变
The digital signature, the third part of a JWT token like this hhhhhh.ppppppp.ssssss is created using server private key, and is the way you can verify the identity of the issuer of the token and also that it has not been altered
如果您想隐藏有效负载,JWT 规范允许使用加密(请参阅 RFC).如果auth0不支持,你在jwt.io
If you want to hide the payload, the JWT specification allows use encryption (see Json Web Encryption-JWE at RFC). If auth0 does not support it, you have a lot of libraries listed in jwt.io
这篇关于为什么我可以在 jwt.io 上轻松解码 auth0 id_token?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
