The article says that JSON Web Tokens are encrypted. I would like to correct this. These are not encrypted, but Digitally Signed. Anybody can read the content of these tokens with the base64url library, which only changes the character encoding, so no encryption here. What does a Digital Signature do? It ensures that your app can check, that the token has not been changed by someone else, since it has been issued by your app. It also ensures that your app signed it after the user successfully logged in with the correct credentials. These two things make sure in most cases, that whoever has the token is your signed in user. Unfortunately it is not necessarily true. If your app uses third party JavaScript and that code is malicious it can take the token from local storage. This way someone else may sign in to the app, like your logged in user. This is a kind of security loophole regarding these tokens. You can hear about it more in the following talk: Why JSON Web Tokens Suck
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The article says that JSON Web Tokens are encrypted. I would like to correct this. These are not encrypted, but Digitally Signed. Anybody can read the content of these tokens with the base64url library, which only changes the character encoding, so no encryption here. What does a Digital Signature do? It ensures that your app can check, that the token has not been changed by someone else, since it has been issued by your app. It also ensures that your app signed it after the user successfully logged in with the correct credentials. These two things make sure in most cases, that whoever has the token is your signed in user. Unfortunately it is not necessarily true. If your app uses third party JavaScript and that code is malicious it can take the token from local storage. This way someone else may sign in to the app, like your logged in user. This is a kind of security loophole regarding these tokens. You can hear about it more in the following talk: Why JSON Web Tokens Suck