2

Have setup a test server with express, socket.io and a token-based authentication with jwt

Have looked at this tutorial https://auth0.com/blog/2014/01/15/auth-with-socket-io/

On the server-side the tutorial logs the decoded token

console.log(socket.handshake.decoded_token.email, 'connected');

But when I try to log socket.handshake.decoded_token the variable is undefined.. socket.handshake doesn't contain any variables with the decoded token

So.. I tried to google how to decode the token and found this page https://developers.google.com/wallet/digital/docs/jwtdecoder

I pasted the public token and the script decoded the token without the jwtSecret!? Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!?

The public token which is returned to the client as authentication

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8
clarkk
  • 27,151
  • 72
  • 200
  • 340

2 Answers2

2

The token is not encrypted, just encoded.

The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with.

Here's a decent (and short) writeup that explains that in a bit more detail

dc5
  • 12,341
  • 2
  • 35
  • 47
  • ok :) if the token is only encoded, why then put user variables in it which can be decoded by anyone? – clarkk Jun 27 '14 at 00:13
  • The general (basic) recommendation is 1. don't put sensitive data in the token. 2. don't pass them in the clear. 3. Pass them in a header or body (not on the url). JWT is basically just a container format for a set of claims. When a signature is present and validated, you can trust those claims. This topic is much deeper than this and I highly encourage you to spend some time on the various RFC's related to this (JWT, JWS, OAuth JWT Bearer tokens, etc) as well as researching security related discussions on the topic. – dc5 Jun 27 '14 at 17:10
1

It's about weather you trust the issuer of token to provide claims being held by token it self. Anyone can decode it, also anyone can encode the exact same json payload, but only you can decide based on your secret key weather signature gets verified or not.

So in a potential breach scenario of you dropping your jwt secret somewhere, you should be able to change secret and basically invalidate all issued tokens with that secret.

bigkahunaburger
  • 426
  • 5
  • 10