I am using JWT. To encrypt the token I am using the HS512 signature algorithm with base64EncodedSecretKey in Java. After I got the token I am able to decrypt the token without knowing the secret key. How is this possible? Is there anything wrong with my token?
String JWT = Jwts.builder()
.signWith(SignatureAlgorithm.HS512, SECRET)
.setSubject(username)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME))
.setAudience("ADMIN")
.compact();
Here JWT
is my token and I set the secret key by calling this method:
signWith(SignatureAlgorithm.HS512, SECRET)
String SECRET
is my key.
But when I make a request with correct user_name and password through postman I received this token in the header:
eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTUyMjkyMjAzOSwiYXVkIjoiQURNSU4ifQ.Wye52RTz8P3_7gPxZnJHOArA-ixaNHhQEcfoiAELu_56WXmMcZEAOlUyqP8yI0CWOZ4deXFRcP6azBpZpwNt-w
When I decrypt it I can view the token data:
{
alg: "HS512"
}.
{
sub: "admin",
exp: 1522922039,
aud: "ADMIN"
}
So my Question is: How is it possible to decrypt the JWT without knowing my secret key?