5

I am new to this domain but I was trying to generate a JWT using the JWT nuget package.

My understanding is that you supply a secret key to sign the Token but when I got the token I went to JWT website to test it and the website was able to decode it without me supplying the secret key.

I thought that you generate the token then you sign it and thus prevent anybody from knowing the content of the token unless they have that secret key. Is this not the case?

Gray
  • 115,027
  • 24
  • 293
  • 354
Sul Aga
  • 6,142
  • 5
  • 25
  • 37

1 Answers1

7

JSON Web Tokens are an encoded representation of a data structure. It is not required that this encoded data be encrypted, but it is acceptable to do so.

From the definition of Code Signing:

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

A JWT which has been encrypted will typically have two hash values, the first to decrypt the data, the second to validate the code signing. Decoding a non-encrypted JWT is a standardized process, and can be done even if the code sign isn't verified. However, it is recommended not to use any data in a JWT if the code signing hash does not match, as this indicates the data may have been tampered with.

Not all JWT implementations support encryption; notably, there is no encryption support in Microsoft's JWT implementation. https://stackoverflow.com/a/18224381/2495283. Therefore, if you have data which you must ensure remains secret, you should encrypt the data using JWE. The JWT standards documentation shows an example of this process. The data is first encrypted, then the encrypted string and decoding algorithm are sent as the payload of the JWT.

Community
  • 1
  • 1
Claies
  • 22,124
  • 4
  • 53
  • 77
  • thank you for your answer. I will be thankful if u can supply more resources to do a jwt generation + encryption to complete the answer. I will mark it as an answer though – Sul Aga May 28 '15 at 22:15
  • I updated my answer with a bit more context, I hope it points you in the right direction.... – Claies May 28 '15 at 22:26
  • Thank you. So lets say I generated a jwt with the above mentioned package then I encrypted the resulted token using the available encryption mechanisms in .net. Is there a problem with this approach? – Sul Aga May 28 '15 at 22:41
  • if you encrypt the JWT instead of encrypting the data, then you are passing an encrypted string that you are responsible for decrypting; in this scenario, the JWT isn't really serving any purpose other than being an abstraction on top of the data. The purpose of using JWT is to send a string representation of your data; since an encrypted string is this already, you lose any benefit JWT serves. – Claies May 28 '15 at 22:47
  • Sorry for keep asking into the same topic, I hope it doesn't bother you. So generate a jwt and encrypt only the data. This is a very sensible approach. I would be thankful if you can tell me which parts of jwt you consider to be ur data? anything apart from the standard values or...? – Sul Aga May 28 '15 at 22:53
  • well, for example, using the ASP.Net Identity 2.0 Package, you might include the `access_token` in your JWT; the `access_token` is data that is encrypted in the authentication process, and can have claims attached (roles, for example). Other data used by the app may not be sensitive, and may not need to be included in the `access_token` (the token type, expiration, etc). – Claies May 28 '15 at 23:02