0

It goes like this, I make a log in request to the server. If the log in attempt is successful, it sends back a web token to the client side.

It then saves the web token in the local storage for future usage.

However, I need to get the ID of the user that logged in and save it for future usage, which is encrypted in the Hash code that I received.

In the server side Java, I can do something like:

int id = (int) Jwts.parser().setSigningKey(gm.getKey()).parseClaimsJws(token).getBody().get("id_user");

but I need it in the Client side, and with Javascript.

Does anyone have an idea of how to do this?

I've thought of 2 work arounds, but I'm sure there's an easier and faster way of doing it.

A) I could make a separate POST request to the server in which I send the web token I just received which then returns the id of the user.

B) I could also make an "Auth" class that has a String hash_code and an int id_user, then send back an Object of that Auth class as a Json and work from there.

Anyway, thanks.

Rui
  • 73
  • 2
  • 9

3 Answers3

0

The answer is: it depends. Is the payload in your JWT claims encrypted? Often it is not. What you're doing on the server is really two steps:

  1. Verifying the signature.
  2. Retrieving the payload.

Step 1 can not be done securely in the client, as it requires your secret key. If step 1 has been done on the server, then your business information may be available in the JWT in plain JSON.

Matt Morgan
  • 4,900
  • 4
  • 21
  • 30
0

If you're encrypting the entire JWT, option A makes the most sense (would also help with testing, to have a quick way to validate the token).

If you are only signing the JWT, it's just a JSON that you should be able to read as normal in Javascript (How to decode jwt token in javascript). If there's no secret information in it, signing should be sufficient.

You could also encrypt the secret information, put it in the JWT and then just sign it (to verify your server issued it and it's being sent by the client unmodified), while leaving the other info (like user id) in plaintext.

Vivek Chavda
  • 473
  • 1
  • 4
  • 16
0

I would have GET method on server side which would be called without any parameters but with Authorization Bearer header referencing that JWT token (just like any other secured endpoint). Which in turn would get JWT, parse user as you described and return it in JSON.

tsolakp
  • 5,858
  • 1
  • 22
  • 28