堆栈内存溢出
  简体   繁体   English

解码jwt令牌-安全吗?

[英]decode jwt token - is it secure?

 原文  2014-06-25 21:54:12       node.js/ socket.io/ jwt

问题描述

Have setup a test server with express, socket.io and a token-based authentication with jwt 已使用express,socket.io设置了测试服务器,并使用jwt进行了基于令牌的身份验证

Have looked at this tutorial https://auth0.com/blog/2014/01/15/auth-with-socket-io/ 看过本教程https://auth0.com/blog/2014/01/15/auth-with-socket-io/

On the server-side the tutorial logs the decoded token 在服务器端,本教程记录解码的令牌 

console.log(socket.handshake.decoded_token.email, 'connected');

But when I try to log socket.handshake.decoded_token the variable is undefined.. socket.handshake doesn't contain any variables with the decoded token 但是,当我尝试登录socket.handshake.decoded_token该变量是未定义的socket.handshake不包含任何带有已解码令牌的变量

So.. I tried to google how to decode the token and found this page https://developers.google.com/wallet/digital/docs/jwtdecoder 所以..我试图在Google上搜索如何解码令牌,并找到了此页面https://developers.google.com/wallet/digital/docs/jwtdecoder

I pasted the public token and the script decoded the token without the jwtSecret!? 我粘贴了公共令牌,脚本在没有jwtSecret的情况下解码了令牌! Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!? 嗯...然后我在想..如果脚本可以在没有秘密的情况下解码令牌,那么如何确保安全呢?

The public token which is returned to the client as authentication 作为身份验证返回给客户端的公共令牌 

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8

2 个解决方案

解决方案1
 2 已采纳  2014-06-26 22:54:39

The token is not encrypted, just encoded. 令牌未加密,仅被编码。

The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with. 用您的秘密构建的签名很重要,可以确保令牌未被篡改。

Here's a decent (and short) writeup that explains that in a bit more detail 这是一个不错的(简短的)文章,它详细解释了这一点。

解决方案2
 1  2016-10-22 22:52:14

It's about weather you trust the issuer of token to provide claims being held by token it self. 您要信任令牌的发行者提供由令牌自身持有的索赔的天气。 Anyone can decode it, also anyone can encode the exact same json payload, but only you can decide based on your secret key weather signature gets verified or not. 任何人都可以对其进行解码,任何人都可以对完全相同的json有效负载进行编码,但是只有您可以根据您的密钥决定天气签名是否经过验证。

So in a potential breach scenario of you dropping your jwt secret somewhere, you should be able to change secret and basically invalidate all issued tokens with that secret. 因此,在您将jwt机密丢到某个地方的潜在违规情况下,您应该能够更改机密,并使所有使用该机密的已发行令牌基本失效。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 jwt 解码令牌 - How to decode a token with jwt 如何在Waterlock中解码JWT令牌 - How to decode a JWT token in waterlock 在节点中解码 Jwt 令牌 - 没有库 - Decode Jwt Token in Node - without Library 客户端应用jwt令牌解码和验证安全性 - client app jwt token decode and verification security 尝试从服务器端解码 jwt 令牌 - Trying to decode jwt token from server side 不允许使用JWT令牌保护GraphQL端点 - Not allowed to secure GraphQL endpoint with JWT token 在 React JS 中使用 jwt 解码来解码令牌是否安全? - Is that safe use jwt decode to decode token in react js? 如何在 nodejs/angular 中保护 JWT 令牌和刷新令牌 - How to secure JWT token and refresh token in nodejs/angular 即使令牌不为空,JWT 解码也会重新调整为空 - JWT Decode retuning null even when Token is not null jwt.decode() 卡住而不是在格式错误的令牌上返回错误 - jwt.decode() stuck instead of returning an error on malformed token
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM