Menu
I am unable to clearly grasp how JWT works, esp. the signature part.
Once a client submits correct username and password, the authentication server creates a JWT token consisting of header, payload/claims and signature.
Question 1 - Is signature some secret key (not the user's password) which only the authentication server knows (sort of a private key of the server)?
Question 2 - Say I am using a separate application server and authentication server, on receiving JWT from client, would the application server send the JWT to authentication server to get it validated? I suppose the application server cannot validate a JWT token as it doesn't know the secret key used to sign the header and payload.
Question 3 - I took the following JWT and pasted it on jwt.io. I see the message Signature Verified. How does jwt.io know that the signature is correct as it doesn't know the secret key.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxLS9tSjVsVTNYc09QWCt2VitpaGZRMWlCUDVjUTROQm1hNDluOE9rS1FFSnEzTDFNOTl2VW9iQ1ZLUHVYMmdlWWhYaHJQM0t3bHY4SE1RaHNGdnFjbllIeGxGSHM9IiwiaXNzIjoicGxheS1zaWxob3VldHRlIiwiZXhwIjoxNTI2MjgxMDU1LCJpYXQiOjE1MjYyMzc4NTUsImp0aSI6IjhmOGM3YTVmYWRkNTE5MjUxNzQ5NGE4N2Q1ODcxZjJjZGUxZDkzMDdkOTY1MThjNjg2NzExOTc1YjU3M2I5NDBlZWU2NGY0NDUwYzcxODI3NGZmNzU1MmE2Y2JlNTVmZmZhMWI1ZjA3ZWZlOWVkNTE0Y2Y4YTViOTZlM2ExYjI0ODRmYTI5NjZiYjA0ODlmODIwZjMyMzM5YWVhNjM3NWRkZmU4ZDE4N2E2NzBjMzg0ODgwZGIyMzQ1ZTFkMzRkYWNjZmY2MTdkMDY1NzU3YmEwZTQzNDg4YWFhZmZmNDNjYWZlZGY0OTFlODU1YTA0NWM0NmJjNDY4NGYzODlmY2YifQ.GwN6TSNd426xpc3Y02eRXHbrmSr_61MMBqrmx66Ofqs
483
To reiterate, whatever you do, don't store a JWT in local storage (or session storage). If any of the third-party scripts you include in your page is compromised, it can access all your users' tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie.
JWT, or JSON Web Token, is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.
Question 1 - Is signature some secret key (not the user's password) which only the authentication server knows (sort of a private key of the server)?
No, the electronic signature is a mathematical computation applied to the payload of the JWT using a secret key. The purpose is to ensure that the message has not been altered and to recognize the signer to validate the JWT
Question 2 - Say I am using a separate application server and authentication server, on receiving JWT from client, would the application server send the JWT to authentication server to get it validated? I suppose the application server cannot validate a JWT token as it doesn't know the secret key used to sign the header and payload.
Not necessarily. If a symmetric key (HMAC) is used, the signature and verification key is the same. In that case the Authorization server must know the secret key or send the token to verify. However, if an asymmetric key (RSA, ECDSA) is used, the signature key is different from the verification key. The authorization server can have a copy of the public key safely
Question 3 - I took the following JWT and pasted it on jwt.io. I see the message Signature Verified. How does jwt.io know that the signature is correct as it doesn't know the secret key.
jwt.io or anyone who wants to verify the token needs the secret key. Note that if you copy-and-paste the token in jwt.io, the signature is not verified, but if you change the secret key, the editor changes automatically the signature creating a new token at the time
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
