jwt.io 说签名验证即使没有提供密钥 [英] jwt.io says Signature Verified even when key is not provided
问题描述
我用下面的代码在 nodejs 中签署了一个 jwt.
var jwtoken = jwt.sign({ email: 'test@test.com', name: 'test' }, 'abcd');我在签名后得到了下面的令牌
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJuYW1lIjoidGVzdCIsImlhdCI6MTYzNjE4MjYwOX0.07FXjm1lKEIiU_QOMEEOFzhsC0vtKt4PFoW-7YH当我将 JWT 粘贴到 jwt.io 时,我想用
那么签名"验证或签名无效"的结果都是正确的.
之后您输入的每个秘密都会导致重新计算签名,然后它总是会得到验证(使用新的秘密):
但是,如果您按照正确的顺序进行操作,错误的秘密会导致无效签名";结果:
I signed a jwt in nodejs with the below snipet.
var jwtoken = jwt.sign({ email: 'test@test.com', name: 'test' }, 'abcd');
I got the below token after signing
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJuYW1lIjoidGVzdCIsImlhdCI6MTYzNjE4MjYwOX0.07FXjm1lKEIiU_QOMEEOFzhsC0vtKt4PFoW-7YHHzyM
I wanted to verify this with jwt.io when I paste the JWT in jwt.io, I can see the the site says the "Signature Verified" for whatever key I provide(I dont need to provide abcd which is my actual key). I was expecting that the key would be required to determine if a signature is valid. How does the jwt.io determine if a jwt is valid without the original key.
The https://jwt.io debugger works in both directions, you can inspect and verify tokens or create and sign tokens. When you first paste your token on the left side and then paste the secret or key into the field under 'verify signature' in the right column, the signature will be recreated and you should notice that it changed. In this case, the result is always 'signature verified', because the signature was just calculated based on the entered secret.
The correct way to verify a signature is to first paste the key into the secret key field and then paste the token to the left part of the debugger. Always make sure, that any other content in the input fields is overwritten.
Then the result, either 'signature' verified' or 'invalid signature', will be correct.
Every secret that you enter after that causes a recalculation of the signature and then it's always verified (with the new secret):
But if you do it in the right order, a wrong secret causes an "invalid signature" result:
这篇关于jwt.io 说签名验证即使没有提供密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
