0

I am just reading about JWT to encrypt some personal data of the user so that it can be passed to other APIs securely.

     var payload = new Dictionary<string, object>()
                                  {
                                      {"email", "test@test.com"},
                                      {"phone", "9878987899"}
                                  };
    var encoded = JWT.JsonWebToken.Encode(payload, "secret", JwtHashAlgorithm.HS512);
    Console.WriteLine(encoded);  //prints encoded payload

Now i can decode the token as shown below

  var decoded = JWT.JsonWebToken.Decode(encoded, "", verify:false);   // no security key
  Console.WriteLine(decoded);

The above code decodes the token and returns json payload which is encrypted. If you observe i didn't pass secret key but still i can decode the token.

I passed verify:false above. Now if i set it to true then it fails saying Signature is Invalid. This is the expected behaviour.

My question is , What is the purpose of security key if anyone can decode the token by setting verify:false ?

Venkata Dorisala
  • 4,783
  • 7
  • 49
  • 90
  • The key is there so you can check if someone else has changed the message. – jao Feb 28 '17 at 17:49
  • @jao thanks. So anyone can decode the token using `JWT debugger` or some other tool. But they can't tamper it unless they have `security key`. Is it safe to store confidential info in JWT ? – Venkata Dorisala Feb 28 '17 at 17:51
  • 1
    I wouldn't store a password or a customer's address in a JWT. Also, see https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/ and https://stormpath.com/blog/jwt-the-right-way – jao Feb 28 '17 at 17:54

0 Answers0