re: Be careful of the JWT hype train VIEW POST

TOP OF THREAD FULL DISCUSSION
re: API back end - Your site is static and your back end is an API. How can you avoid any curious customer don't call console.log() to show the jwt-s...
 

How can you avoid any curious customer don't call console.log() to show the jwt-secret?.

You don't keep secrets in the JWT. Everything in a JWT should be considered public.

Can you tell me again, why we need JWT encryption?

JWT works with :

Ok, here is the key and it is unique, if it is stolen, then you are screwed. I will crc your key (and encrypt the crc) just for security.

Versus session works with:

Ok, here is the key, I will write down the key and if you don't use it for an hour, then I will invalidate it and you must ask it again. However, if you lose the key, then I can invalidate it, and since I generate the key, then it is safe.

Can you tell me again, why we need JWT encryption?

First of all JWT is not encryption. It is authentication and authorization.

I can't tell you why you need JWT because I do not know anything about your application. But I can tell you why I am using it.

The environment I am working in consists of multiple disconnected systems, each maintained by different departments. JWT allows us to to create an authentication service that is disconnected and also works across multiple systems.

Ok, here is the key and it is unique, if it is stolen, then you are screwed. I will crc your key (and encrypt the crc) just for security.

This is a complete misunderstanding of JWT and realky has nothing to do with JWT.

Encryption (checking the token contents against the signature) works to ensure that everything in your JWT token is valid and hasn't been altered. So it's public, but you can trust it.

That’s not encryption, that’s just signing. The data in a JWT is base64-url encoded, but otherwise easily readable.

There is a standard for JWT encryption, but that’s a whole extra level of pain.

code of conduct - report abuse