How is angular-jwt decoding my JWT without a secret?

前端 未结 1 2026
时光说笑
时光说笑 2021-02-20 14:14

The Auth0 team created something called \"angular-jwt\" which has a jwtHelper class. This thing successfully decodes a local JWT without the secret I used on the server. How d

相关标签:
1条回答
  • 2021-02-20 14:58

    A JWT uses encoding, not encryption. The data that the token contains is not a secret, anyone can decode it and view. What the server does, is it signs the token using a secret (in your case, config.secret), which effectively makes it impossible to modify the token without knowing the secret. Hence, only the server will be able to change the contents of the token, but anyone can read it.

    0 讨论(0)
提交回复
热议问题