0

I'm new using the JWT on web-apps. I'm not sure what info should be stored in a JWT, but in my case, I'm saving sensitive user data, such as e-mail and username. I wish to safely secure this info on my JWT.

Using the pyjwt module, I was able to successfully create my tokens. Here is an example of how I've been using it.

import jwt
from datetime import datetime, timedelta

data = {
    "user": {}, # Here I would fill with my user data.
    "exp": datetime.utcnow() + timedelta(hours=2)
}
jwt.encode(data,"my-super-secret-key", "HS256")

This code above, returns a token where I thought it was encrypted.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7fSwiZXhwIjoxNjMwMzAxMjI4fQ.sF3NeOArV5Mkgz9oemNMA4-RPF-mXKCIkQrlMQPLMV4

Using the https://jwt.io/ JWT checker, I found out that my token was actually being "decrypted" without the use of my-super-secret-key. This made me wonder what was the purpose of the secret key in PyJWT anyways. My guess is that it's just for signing the token.

And how can I actually secure my JWT token? (I've read about JWE, but didn't quite understood it yet, would really appreciate a concise explanation)

Lucca Marques
  • 119
  • 5
  • 1
    A **JWT** is a token (some kind of data) that is **signed**, and the recipient is been able to prove the signature. What you need is an encrypted version that is named **JWE**. Your Python library does not seem to support JWE's so you need to change the lib. On https://jwt.io/ you find a lot of libs that support JWE's, for my cross-platform project I have choosen **authlib** (https://github.com/lepture/authlib). A sample code is here (disclaimer: I'm the author): https://github.com/java-crypto/cross_platform_crypto/blob/main/JwtJweRsaOaep256Encryption/JweRsaOaep256Encryption.py – Michael Fehr Aug 30 '21 at 08:11
  • Thanks a lot for the response! I've read about JWE, but I'm struggling with the encryption algorithms. I'm gonna dig into encryption algorithms so I can understand how to properly encode my data! Thanks! – Lucca Marques Aug 30 '21 at 15:05

1 Answers1

1

A JWT consist of three sections: header, payload and signature. All tree sections will be BASE64 encoded. They are not encrypted.

The algorithm argument to jwt.encode() defines the algorithm used to sign the token. This will prove that the token is authentic and prevent manipulation by the user and a third party.

You can choose within a set of symmetric and asymmetric algorithms:

Symmetric algorithm will create shorter signatures but require a better protection of the key since it has to be stored on every machine involved in issuing and verifying the token.

Asymmetric algorithms will create long signatures, require at least a minimal PKI, but you need to distribute a public key only. The private key remains on the system issuing the tokens.

Klaus D.
  • 13,874
  • 5
  • 41
  • 48
  • Thanks! I'm gonna read more about asymmetric algorithms and try to implement the JWE token! Signing the token is a good option but in my case I need that data encrypted! Thanks for the response! – Lucca Marques Aug 30 '21 at 15:07