Level 7
Hi @shawdow why would you use JWT because it can be decoded?
Feb 24, 2022
11
Level 4
JWT deocde and encode security
I am encoding my payload data using firebase/php-jwt with key
$key = "example_key";
$payload = array(
"iss" => "http://example.org",
"aud" => "http://example.com",
"iat" => 1356999524,
"nbf" => 1357000000
);
$jwt = JWT::encode($payload, $key, 'HS256');
decoding can be done online using http://calebb.net/. I need to know what is the use of encoding with key. if user can decode data online.How can i restrict decoding online.any solutions for this?
Level 4
Hi @theProfit which method need to use for encode and decode with key. and also what is the use keeping key in JWT encode?
Level 7
@Shawdow It can easly be decoded look at https://jwt.io/ please check https://laravel.com/docs/9.x/encryption for more secure solutions.
Level 80
@shawdow You use a private key to generate a signature for your JWT. The server that received the JWT will then use a public key to verify the signature.
Keys aren’t for protected the token. Any one can decide the header and payload. It needs to be decodable in order to know which key to verify it with. It’s because they’re decodable that you’re instructed not to put any sensitive data in them.
From https://jwt.io/introduction:
Do note that for signed tokens this information, though protected against tampering, is readable by anyone. Do not put secret information in the payload or header elements of a JWT unless it is encrypted.
Level 4
@martinbean thanks for the reply since i am new to this. can you tell me creation private key to generate a signature for JWT?
Level 80
@Shawdow What do you mean? Yes, you create a private (and public) key and give the private key to whoever you want to issue JWTs.
Level 4
@martinbean below approach you are trying tell?
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
$privateKey = <<<EOD
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC8kGa1pSjbSYZVebtTRBLxBz5H4i2p/llLCrEeQhta5kaQu/Rn
vuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t0tyazyZ8JXw+KgXTxldMPEL9
5+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4ehde/zUxo6UvS7UrBQIDAQAB
AoGAb/MXV46XxCFRxNuB8LyAtmLDgi/xRnTAlMHjSACddwkyKem8//8eZtw9fzxz
bWZ/1/doQOuHBGYZU8aDzzj59FZ78dyzNFoF91hbvZKkg+6wGyd/LrGVEB+Xre0J
Nil0GReM2AHDNZUYRv+HYJPIOrB0CRczLQsgFJ8K6aAD6F0CQQDzbpjYdx10qgK1
cP59UHiHjPZYC0loEsk7s+hUmT3QHerAQJMZWC11Qrn2N+ybwwNblDKv+s5qgMQ5
5tNoQ9IfAkEAxkyffU6ythpg/H0Ixe1I2rd0GbF05biIzO/i77Det3n4YsJVlDck
ZkcvY3SK2iRIL4c9yY6hlIhs+K9wXTtGWwJBAO9Dskl48mO7woPR9uD22jDpNSwe
k90OMepTjzSvlhjbfuPN1IdhqvSJTDychRwn1kIJ7LQZgQ8fVz9OCFZ/6qMCQGOb
qaGwHmUK6xzpUbbacnYrIM6nLSkXgOAwv7XXCojvY614ILTK3iXiLBOxPu5Eu13k
eUz9sHyD6vkgZzjtxXECQAkp4Xerf5TGfQXGXhxIX52yH+N2LtujCdkQZjXAsGdm
B2zNzvrlgRmgBrklMTrMYgm1NPcW+bRLGcwgW2PTvNM=
-----END RSA PRIVATE KEY-----
EOD;
$publicKey = <<<EOD
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8kGa1pSjbSYZVebtTRBLxBz5H
4i2p/llLCrEeQhta5kaQu/RnvuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t
0tyazyZ8JXw+KgXTxldMPEL95+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4
ehde/zUxo6UvS7UrBQIDAQAB
-----END PUBLIC KEY-----
EOD;
$payload = array(
"iss" => "example.org",
"aud" => "example.com",
"iat" => 1356999524,
"nbf" => 1357000000
);
$jwt = JWT::encode($payload, $privateKey, 'RS256');
echo "Encode:\n" . print_r($jwt, true) . "\n";
$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
$decoded_array = (array) $decoded;
echo "Decode:\n" . print_r($decoded_array, true) . "\n";
1 like
Level 80
@Shawdow Yes. Generate a public and private key. Give the private key to the user, and keep hold of the public key. When a JWT token comes in, you can verify the signature using the public key.
Level 4
@martinbean If I encode using private key in JWT. I am able to see the encoded data in below url http://calebb.net/. can we protect this ?
in brief if get the encoded data like below and paste it inside the decoder search box(http://calebb.net/). I can see the data encode can we avoid this?
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJleGFtcGxlLm9yZyIsImF1ZCI6ImV4YW1wbGUuY29tIiwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDB9.acVlIL5dWDJbWotfoSkyJVMgRhe2K_w2_VHz0uqghiCayMufqwxTzrYjLVG2lLsIgdvapUePwAXluuH6biY8mCUhD8_Ly6svvH_vAehg-qrT-TzBJVuBsn_Z7g23Lh2s8A7rxyXve4ab-GhlWKh5pTuXHiPaTUdzUeBH6WqhGWs
Level 80
If I encode using private key in JWT. I am able to see the encoded data in below url http://calebb.net/. can we protect this ?
@Shawdow That’s not what JWTs are for.
Any one can decode a JWT header and payload. The public and private keys are used to create a signature to verify the token hasn’t been tampered with and created by someone else.
Level 4
@martinbean thanks for your help!!
1 like
Please or to participate in this conversation.