为什么我可以在jwt.io上轻松解码auth0 id

为什么我可以在jwt.io上轻松解码auth0 id_token？(Why can i easily decode auth0 id_token on jwt.io?)

好的，我正在开发一个Angular 2应用程序。 我已经添加了auth0身份验证，但对我来说它非常不安全地处理会话。 jwt令牌未加密并保存在localStorage中。 声明对任何人都可见，它们可以轻松解码和显示。 更不用说，Web存储本身并不安全。

我选择JWT，因为后来我想用电子将这个网络应用程序转换为桌面应用程序，所以我不能使用cookie会话。 我的用户将有其他信息，比如角色，我不希望在每次请求时都在db中查找，这就是为什么我想将它们存储在jwt中。 加密数据是有意义的，但auth0似乎没有提供该功能。

如果角色这样的声明存储在localStorage中不受保护，那么是什么阻止我去firefox控制台并更改令牌，例如让自己成为管理员？

Okay, i'm developing an Angular 2 app. I've added auth0 authentication, but to me it handles sessions very insecurely. The jwt token is not encrypted and saved inside localStorage. The claims are visible for anyone, they can easily be decoded and revealed. Not to mention, Web Storage itself isn't a secure place.

I'm opting for JWTs because later i want to transform this web app to desktop app with electron and so i cannot use cookie-sessions. My users will have additional information such as roles, which i don't want to look up in db on every request, that's why i would like to store them in jwt. It makes sense to encrypt the data, but auth0 doesn't seem to provide that function.

If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?

最满意答案

如果角色这样的声明存储在localStorage中不受保护，那么是什么阻止我去firefox控制台并更改令牌，例如让自己成为管理员？

由于JWT已签名 ， 因此在验证期间将检测对内容或签名的任何更改

数字签名，这个hhhhhh.ppppppp.ssssss这样的JWT令牌的第三部分是使用服务器私钥创建的，并且是你可以验证令牌发行者身份的方式，也是你没有被改变的方式

如果要隐藏有效负载，JWT规范允许使用加密（请参阅RFC中的 Json Web Encryption-JWE）。 如果auth0不支持它，你在jwt.io中列出了很多库

If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?

Because JWT is signed, so any alteration to the content or the signature will be detected during validation

The digital signature, the third part of a JWT token like this hhhhhh.ppppppp.ssssss is created using server private key, and is the way you can verify the identity of the issuer of the token and also that it has not been altered

If you want to hide the payload, the JWT specification allows use encryption (see Json Web Encryption-JWE at RFC). If auth0 does not support it, you have a lot of libraries listed in jwt.io