Logic of the JWT(JSON Web Tokens)

Mert Simsek on August 15, 2018

In this post, we will learn what is the JWT and logic of the JWT. The IETF is designed as a standard token format. Such as validation, user ident... [Read Full]
markdown guide
 

Great introduction Mert, I would also add that this format in itself is not secured so folks never use JWT as it but add some security layer when you send it through your APIs. You can secure it for example in Laravel (to stay around PHP code):

namespace App\Http\Controllers;

use Crypt;

class MyController extends Controller {
  public function index() {
    $jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
    $secured_jwt = Crypt::encrypt($jwt); 

    // Send it using GuzzleHttp, ...
  }
}

Because it is base64 based, JWT are easily decodable so beware! You can have fun decode wild JWT using jwt.io debugger.

 

This is a very ignorant claim. The security or lack of it has nothing to do with base64. JWT is not an encryption format, it's a signed token.

You should of course not store any sensitive data, such as passwords or similar in the token unencrypted, but this applies to everything and not just JWT.

The reason for real security issues with JWT is the fact that the standard pretty much requires you to accept ANY JWT token that is valid, and one of the valid signature algorithms for it is "None". This means, that unless you specifically break the standard, and check for the signature algorithm used in addition to the validity of the signature before trusting it, you can easily leave yourself vulnerable to a trivial attack.

In short: never trust a 3rd party JWT implementation completely, because they probably just blindly follow the standard, and never store any actually secret data in it in unencrypted format if you pass it to external systems.

 

Completely agree with you, said it in a clumsy way!

code of conduct - report abuse