JWT令牌存储

Question

I have been going through some of my .NET Core2 services and adding some JWT authentication to them to provide some basic security.

I created a new ProvisioningService which has an endpoint that builds a token and returns it:

var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

var token = new JwtSecurityToken(_config["Jwt:Issuer"],
        _config["Jwt:Issuer"],
        claims,
        expires: DateTime.Now.AddMinutes(30),
        signingCredentials: creds);

return new JwtSecurityTokenHandler().WriteToken(token);

I altered one of my existing services (which I'll refer to as TestService ) by adding AddAuthentication in the StartUp . The endpoint for this call has the [HttpPost(), Authorize] attributes. I deployed these changes to my Test server.

When I call TestService/api/updateSomething I am returned a 401 Unauthorized as expected. On my local machine, I create a new token via ProvisioningService/api/buildToken and add the token from the response to my TestService call via the Authorization header. To my surprise...this worked.

Why does my TestService (on a completely different server) view a token created on my local machine as a valid token and allow the call to work? I was expecting this to return the same 401 because I assumed this token was going to be invalid on my Test server. My inexperience with JWT is probably showing....but I am not understanding how these tokens are being stored/shared between servers.

Answer 1

I failed to understand that the token itself has what it needs to authorize itself after it is decrypted. This question is no longer needed.