locked
a quick jwt question RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User1034446946 posted

    if i can change the payload of the jwt without it affecting any validation how is it considered secure?

    Tuesday, April 21, 2020 1:46 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-474980206 posted

    No, you can not change the payload without making it invalid. That’s the point of a jwt token, the payload can not be modified. The third part of the token is an encrypted hash of the first two parts.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 21, 2020 2:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-474980206 posted

    if you change the payload, you need to regenerate part 3 (the signing). jwt.io does this with their own secret. 

    to validate a jwt token, you need the token and the secret. you can then decrypt the signature and and check the hash. other validation is may be done on the payload (once the signature is verified) such as the issuer.

     there are two common ways to validate the signature.

    1) you call the issuer with the jwt token, and it says if valid

    2) you have a copy of the secret and can verify yourself.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 21, 2020 6:00 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-474980206 posted

    No, you can not change the payload without making it invalid. That’s the point of a jwt token, the payload can not be modified. The third part of the token is an encrypted hash of the first two parts.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 21, 2020 2:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1034446946 posted

    but on jwt.io i have just entered a jwt and changed the payload section and it validated

    i did the same on debugging and it still returned the new payload value

    (and it wasn't using none in the header)

    Tuesday, April 21, 2020 2:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-474980206 posted

    if you change the payload, you need to regenerate part 3 (the signing). jwt.io does this with their own secret. 

    to validate a jwt token, you need the token and the secret. you can then decrypt the signature and and check the hash. other validation is may be done on the payload (once the signature is verified) such as the issuer.

     there are two common ways to validate the signature.

    1) you call the issuer with the jwt token, and it says if valid

    2) you have a copy of the secret and can verify yourself.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 21, 2020 6:00 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1034446946 posted

    Thanks got it all sorted, appriciated the info.

    Tuesday, April 21, 2020 8:03 PM