在没有秘密的情况下解码 JWT 令牌 [英] Decoding JWT tokens without the secret

问题描述

我使用 JWT 的私钥创建了一个令牌，但是当我尝试在 http 上对其进行解码时://kjur.github.io/jsjws/tool_jwt.html，我发现不用给任何key就可以解码token.那么 JWT 令牌只是一个签名是否正确?如何在没有密钥的情况下保持令牌不被解码?

解决方案

JWT 可以通过两种方式使用公钥/私钥:签名和加密.

如果您使用私钥进行签名，它允许接收者识别 JWT 的发送者和消息的完整性，但不会向其他人隐藏其内容(机密性).请注意，发送者的私钥将用于签署 JWT 并生成 JSON Web 签名 (JWS) 对象.显然，这适用于您正在查看的 JWT.

当使用公钥进行加密时，它可用于向除预期接收者之外的任何人隐藏内容.结果是一个 JSON Web Encryption 对象.请注意，它将是用于加密 JWT 的收件人的公钥.显然这就是你要找的.

参见:http://jose.readthedocs.org/en/latest/

I created a token with the private key by JWT, but when I try to decode it on http://kjur.github.io/jsjws/tool_jwt.html, I found that the token can be decoded without any key given. So is it correct that the JWT token is just a signing? How to keep the token from decoded without the key?

解决方案

There are two ways in which a public/private keys can be used by a JWT: signing and encryption.

If you use a private key for signing, it allows for the recipient to identify the sender of the JWT and the integrity of the message but not to hide its contents from others (confidentiality). Note that it would be the sender's private key that is used to sign the JWT and produce a JSON Web Signature (JWS) object. Apparently that applies to the JWT that you're looking at.

When using a public key for encryption it can be used to hide content from anyone but the intended recipient. The result is a JSON Web Encryption object. Note that it would be the public key of the recipient that is used to encrypt the JWT. Apparently that is what you're looking for.

See: http://jose.readthedocs.org/en/latest/

这篇关于在没有秘密的情况下解码 JWT 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！