0

I created a jwt token using java keystore public key an and io.jsonwebtoken library. After generation i copy pasted the generated token in https://jwt.io website. It decoded my token without using private key.How come this is possible?

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
PrivateKey privateKey = pair.getPrivate();
Claims claims = Jwts.claims().setSubject(userName);
        claims.put("scopes", scopes);
        String token = Jwts.builder()
                .setClaims(claims)
                .signWith(SignatureAlgorithm.RS256, privateKey)
                .compact();
Prasad
  • 1,089
  • 13
  • 21

1 Answers1

1

Your JWT is only signed, not encrypted. The main security feature of the incoming JWT is that it has a checksum/signature at the end. Your Java program has the ability to verify that the checksum matches the actual content of the JWT (e.g. headers and claims). If the checksum does not match, then the server will assume the JWT has been tampered with and reject it. The main use of a JWT is not so much protecting critical information as it is about controlling authorization and authentication in your application.

Tim Biegeleisen
  • 502,043
  • 27
  • 286
  • 360
  • Yes @Tim . I am expecting a brief reply from you. – Prasad Oct 22 '19 at 10:25
  • @BadDeveloper [difference between encoding and encryption](https://stackoverflow.com/questions/4657416/difference-between-encoding-and-encryption) – jps Oct 22 '19 at 13:15