re: Logic of the JWT(JSON Web Tokens) VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Great introduction Mert, I would also add that this format in itself is not secured so folks never use JWT as it but add some security layer when y...
 

This is a very ignorant claim. The security or lack of it has nothing to do with base64. JWT is not an encryption format, it's a signed token.

You should of course not store any sensitive data, such as passwords or similar in the token unencrypted, but this applies to everything and not just JWT.

The reason for real security issues with JWT is the fact that the standard pretty much requires you to accept ANY JWT token that is valid, and one of the valid signature algorithms for it is "None". This means, that unless you specifically break the standard, and check for the signature algorithm used in addition to the validity of the signature before trusting it, you can easily leave yourself vulnerable to a trivial attack.

In short: never trust a 3rd party JWT implementation completely, because they probably just blindly follow the standard, and never store any actually secret data in it in unencrypted format if you pass it to external systems.

 

Completely agree with you, said it in a clumsy way!

code of conduct - report abuse