0

tldr: Do I need to validate a payload from the received token?

So here's the first step with the creating of the token:

from jose import jwt

to_encode = {
    "iss": "https://example.com/",
    "aud": "metaserver",
    "sub": user.username,
    "name": user.display_name,
    "metadata": metadata
}
# Here goes the updating of the payload (exp, iat, etc)
...
token = jwt.encode(to_encode, config.JWT_SECRET_KEY, algorithm=algorithm='HS256')

The metadata field is being saved in the db. It can be anything.

The second step is when I receive a client-request and I have to check the token:

decoded = jwt.decode(token, config.JWT_SECRET_KEY, audience='metaserver', algorithms=[config.ALGORITHM])

In the documentation it is mentioned that:

What is the JSON Web Token structure? In its compact form, JSON Web
Tokens consist of three parts separated by dots (.), which are:

Header
Payload
Signature

Therefore, a JWT typically looks like the following. xxxxx.yyyyy.zzzzz

So in my case the Payload field is my metadata

The question is: is it possible for the user to send a token with the "old" Header and Signature parts (xxxxx.____.zzzzz) but to include his own Payload (____.his-own-payload.____)? Is it enough for me just to rely on the result of the jwt.decode? Do I have to do an additional request to the db to compare with the received metadata?

IgorZ
  • 1,125
  • 3
  • 20
  • 44
  • 1
    The function `jwt.decode` verifies the signature. That's why you have to pass the key and algorithm to it. If you change the payload (or header), signature verification will fail. – jps May 29 '23 at 21:37
  • @jps yes, that's what I wanted to be sure in: "The server adds a signature based on the payload when issuing a token to the client" so it's secure as well to decode a token on any other separate service just having a private key. – IgorZ May 29 '23 at 22:42

0 Answers0