1

I just noticed a massive flaw with my JWT setup - I have a WebAPI project and am authenticating using JWT as set up in this guide here.

I am sending the users ID to them as part of the token payload. This is so when they can only retrieve resources which are theirs from the API.

The problem I have noticed is the following, if I:

  1. Call login() and get a JWT back from the server
  2. Take the token and decode it on https://jwt.io/
  3. Change the payload so that the ID (that I'm sending to identify the user) is another ID
  4. Use the new Encoded token in an API call
  5. The token is accepted by the API and can be used to retrieve resources which don't belong to the user.

Why isn't the token invalidated when the user changes the payload - does this not defeat the purpose of the token?

TomSelleck
  • 6,706
  • 22
  • 82
  • 151
  • 3
    the signature is invalidated if you change the content of the token. You must verify the digital signature of every received token, therefore: 1) you are not doing it properly 2) you are modifying the token in jwt.io using your **secret key**, so the new token is valid too ( but an attacker can not do it) – pedrofb Dec 08 '17 at 17:27
  • Ah yes, I was testing it with the secret key on the jwt.io... – TomSelleck Dec 08 '17 at 17:34

0 Answers0