0

I can't quite understand how secure JWT tokens are. If a user makes an HTTP request and the JWT token is authorized. Can I fetch the UserId from the JWT (we of course store the user id in the claim). Or is there a possibility that someone can manipulate the JWT token and change his/her userId?

Incase JWT is not a good practice to extract userId. Do we have another way to do that? (.Net core web api)

Aram Yako
  • 41
  • 1
  • 5
  • Is your JWT signed? – gunr2171 Jan 18 '21 at 23:42
  • Yes the JWT token is signed with HmacSha256Signature. I'm just thinking because when I create the token I also use a secret key. – Aram Yako Jan 18 '21 at 23:47
  • So you can use that signature with the public key from the JWT provider to compute if the JWT has been manipulated. See the link above. – gunr2171 Jan 18 '21 at 23:48
  • @gunr2171 When HS256 is used for the signature, there's no public key. It's a symmetric key algorithm and the token provider will keep the key secret. – jps Jan 19 '21 at 08:18

0 Answers0