security - JWT token signature validation javascript - Stack Overflow

admin管理员组

文章数量:1292125

I was making a javascript client that connects to an Api using JWT tokens. On the server side there are no problems, I can create the token sign it and later verify the signature en thus ensure that nobody tampered with the token.

But how do I do this on the client side. I can just decode the JWT token and see the header, payload and signature. But how do i verify the signature at the client site? Are there libraries for this, how do I transfer the public key to the client?

If I do not verify the signature how can I know the token is not tampered with?

I was making a javascript client that connects to an Api using JWT tokens. On the server side there are no problems, I can create the token sign it and later verify the signature en thus ensure that nobody tampered with the token.

But how do I do this on the client side. I can just decode the JWT token and see the header, payload and signature. But how do i verify the signature at the client site? Are there libraries for this, how do I transfer the public key to the client?

If I do not verify the signature how can I know the token is not tampered with?

• javascript
• security
• jwt

Share Improve this question Follow asked Dec 15, 2017 at 15:50 Arno van LieshoutArno van Lieshout 1,66011 gold badge1414 silver badges1919 bronze badges

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 5

if I do not validate the signature at the client side how can I ensure that the token is indeed from the server.? Maybe there is somebody in the middle who is changing the token

Signature validation does not avoid a Man In The Middle attack. An attacker could sniff the channel to capture credential or alter messages even using valid tokens

Use a SSL/TLS channel (https)

---

If I do not verify the signature how can I know the token is not tampered with?

A token provided by a TLS trusted server is probably valid.(it could has been altered in local storage). You can validate the signature. This operation is usually done in server side( see @sakuto answer), but you can do it in the browser perfectly

But how do i verify the signature at the client site?

These are the steps

1. Download the public key from a trusted server
2. extract the signature from JWT and decode it( base64url)
3. verify the digital signature using a cryptographic library

I suggest to use the Webcrypto. See an example of RSA import key an validation here: https://github./diafygi/webcrypto-examples/blob/master/README.md#rsassa-pkcs1-v1_5

You are usually not doing verification on client-side, nor storing important data on the token. Every control and permission are checked on the back-end. Meaning that even if the user tamper its token, he won't able to pass the back-end control, only possibly seeing one more option on the front.

This type of work-around ments are the reason why I don't trust "libraries" written by others.

JWT.io has reported that many of the libraries that are widely available have security vulnerabilities.

RFC 7519 clearly states that the application MUST validate the token signature and if its signature is not valid, you MUST discard it.

本文标签： securityJWT token signature validation javascriptStack Overflow