Discussion on: Logic of the JWT(JSON Web Tokens)

lietux profile image
Janne "Lietu" Enberg

This is a very ignorant claim. The security or lack of it has nothing to do with base64. JWT is not an encryption format, it's a signed token.

You should of course not store any sensitive data, such as passwords or similar in the token unencrypted, but this applies to everything and not just JWT.

The reason for real security issues with JWT is the fact that the standard pretty much requires you to accept ANY JWT token that is valid, and one of the valid signature algorithms for it is "None". This means, that unless you specifically break the standard, and check for the signature algorithm used in addition to the validity of the signature before trusting it, you can easily leave yourself vulnerable to a trivial attack.

In short: never trust a 3rd party JWT implementation completely, because they probably just blindly follow the standard, and never store any actually secret data in it in unencrypted format if you pass it to external systems.

khalyomede profile image

Completely agree with you, said it in a clumsy way!