-1

I was using JWT authentication on my website for login data. It looks like we can decode the JWT Token without a key. Try the below website. It's shocking to me. So is there any better token authentication method is there apart from JWT Token authentication.

http://calebb.net/

You can try with any key. Example from the site https://medium.com/@siddharthac6/json-web-token-jwt-the-right-way-of-implementing-with-node-js-65b8915d550e

Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImRhdGEyIjoiRGF0YSAyIiwiZGF0YTMiOiJEYXRhIDMiLCJkYXRhNCI6IkRhdGEgNCIsImlhdCI6MTUyNTE5MzM3NywiZXhwIjoxNTI1MjM2NTc3LCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.ID2fn6t0tcoXeTgkG2AivnG1skctbCAyY8M1ZF38kFvUJozRWSbdVc7FLwot-bwV8k1imV8o0fqdv5sVY0Yzmg

johnie
  • 83
  • 9
  • Ability to decode is the usefulness of having JWT. It provides a stateless approach to share information across the client and the server. You should not store sensitive information in the JWT token. Yet, JWT facilitates integrity through signing, preventing man-in-the-middle attacks. – Deepal Jun 17 '19 at 21:59

1 Answers1

1

The token you provided is a JWS i.e. a signed token. As any other digitally signed data, the payload can be read.

I think the confusion comes from the article you mentioned where it is written Encryption algorithm to be used to protect the token whereas for JWS the algorithm is a signature algorithm.

Hopefully a user commented It [the token] is encoded in plain base64.

Other SO users pointed out this question and this other one that are very similar.

  • Usually tokens are just signed (JWS)
  • Tokens can also be encrypted (JWE) or signed then encrypted (nested tokens)

With appropriate means (session storage only, HTTPS channel, Httponly+secured cookies), JWS can be perfectly secured even if the content can be read.

Florent Morselli
  • 11,275
  • 4
  • 28
  • 50