Decoding JWT tokens without the secret

2018-07-01 01:47:06

I created a token with the private key by JWT, but when I try to decode it on http://kjur.github.io/jsjws/tool_jwt.html, I found that the token can be decoded without any key given. So is it correct that the JWT token is just a signing? How to keep the token from decoded without the key?

There are two ways in which a public/private keys can be used by a JWT: signing and encryption.

If you use a private key for signing, it allows for the recipient to identify the sender of the JWT and the integrity of the message by not to hide its contents from others (confidentiality). Note that it would be the sender's private key that is used to sign the JWT and produce a JSON Web Signature (JWS) object. Apparently that applies to the JWT that you're looking at.

When using a public key for encryption it can be used to hide content from anyone but the intended recipient. The result is a JSON Web Encryption object. Note that it would be the public key of the recipient that is used to encrypt the JWT. Apparently that is what you're looking for.

See: http://jose.readthedocs.org/en/latest/

链接地址: http://www.djcxy.com/p/86668.html

上一篇: 用于api响应的Swagger doc（类型列表）

下一篇: 解密JWT令牌没有秘密