堆栈内存溢出
  简体   繁体   English

为什么 jwt 令牌显示有效负载,即使我没有在 Jwt.io 中提供秘密(签名)?

[英]Why jwt token shows payload even i didn't provide secret (Signature ) in Jwt.io?

 原文  2019-10-01 12:51:15       javascript/ node.js/ jwt

问题描述

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjIsImlhdCI6MTU2ODY1NjI1OX0.E2TNtWjqyPC-4myEom6leLJgE96ZlQOq0-mcBr3p5QU

If we place the token which is generated from my code using JsonWebToken in Jwt.io site it is decoded immediately even though I did not provide the secret to validate.如果我们将使用 JsonWebToken 从我的代码生成的令牌放在 Jwt.io 站点中,即使我没有提供验证的秘密,它也会立即解码。 I don't know why it shows.我不知道为什么它显示。 Can somebody explain the reason for that?有人可以解释原因吗?

--Then what is purpose of SECRET in Jwt?? --那么Jwt中SECRET的用途是什么?

1 个解决方案

解决方案1
 1  2019-10-01 13:01:15

I think you're getting a little confused between encryption and signing.我认为您在加密和签名之间有些困惑。

A JSON web token is not encryped, it's just base64 encoded meaning it's very simple to decode and view by anyone. JSON web 令牌没有加密,它只是 base64 编码,这意味着任何人都可以非常简单地解码和查看。

It is however signed, which means it has a hash generated based on all the information within it and a secret key.然而,它是经过签名的,这意味着它有一个hash基于其中的所有信息和一个密钥生成。 Only those with a secret key (for symmetric hashing) or the public key (for asymmetric hashing) are able to confirm that the token has been hashed correctly, and only the provider of the key (who owns the secret token) is able to create valid hashes.只有拥有密钥(用于对称散列)或公钥(用于非对称散列)的人才能确认令牌已正确散列,并且只有密钥的提供者(拥有秘密令牌)才能创建有效的哈希。

What this does, is gives you confidence that the token has been created by the person/service you think it was created from, preventing impersonation etc and therefore allows you to trust the claims that have been made within the token.这样做的目的是让您确信令牌是由您认为创建它的人/服务创建的,防止冒充等,因此允许您信任在令牌中提出的claims If that hash were invalid for any reason you would immediately reject the token on the basis it's most likely forged.如果该 hash 由于任何原因无效,您将立即拒绝该令牌,因为它很可能是伪造的。

Note that as @FlorentMorselli mentioned there is such a think as an encrypted token called a JWE .请注意,正如@FlorentMorselli 提到的那样,有一种称为JWE的加密令牌的想法。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 即使我在授权中输入令牌,JWT 也会返回无效签名错误 - JWT Returns Invalid Signature Error Even When I enter the token in Authorization 创建没有签名的JWT令牌? - Create JWT token without signature? JWT令牌签名验证javascript - JWT token signature validation javascript 具有Firebase身份验证的JWT令牌有效负载不一致 - Inconsistent JWT token payload with Firebase Authentication 如何在客户端解码 JWT 令牌有效负载? - How to decode JWT Token payload on client side? 为什么要在JWT令牌中放置CSRF令牌? - Why should I put a CSRF token in a JWT token? 如何每“t”分钟刷新一次 JWT 令牌? - How can I refresh JWT token every "t" minutes? JWT有效负载中的角色值 - Role value in JWT payload JWT 负载加密,无需任何 JS 访问令牌 - JWT payload encryption without any JS access to token 将非用户字段添加到有效负载中以在JWT令牌中使用 - Adding non user field to payload for use in JWT token
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM