Is it okey to extract userId from JWT token

Asked Jan 18 '21 at 23:40

Active Jan 18 '21 at 23:40

Viewed 23 times

I can't quite understand how secure JWT tokens are. If a user makes an HTTP request and the JWT token is authorized. Can I fetch the UserId from the JWT (we of course store the user id in the claim). Or is there a possibility that someone can manipulate the JWT token and change his/her userId?

Incase JWT is not a good practice to extract userId. Do we have another way to do that? (.Net core web api)

asked Jan 18 '21 at 23:40

Big tasty yama Mcfeast

Is your JWT signed? – gunr2171 Jan 18 '21 at 23:42
Yes the JWT token is signed with HmacSha256Signature. I'm just thinking because when I create the token I also use a secret key. – Big tasty yama Mcfeast Jan 18 '21 at 23:47
So you can use that signature with the public key from the JWT provider to compute if the JWT has been manipulated. See the link above. – gunr2171 Jan 18 '21 at 23:48
@gunr2171 When HS256 is used for the signature, there's no public key. It's a symmetric key algorithm and the token provider will keep the key secret. – jps Jan 19 '21 at 08:18

Is it okey to extract userId from JWT token

0 Answers0