我正在制作一个使用JWT令牌连接到Api的JavaScript客户端。 在服务器端不存在任何问题,我可以创建令牌标记并稍后验证签名,从而确保没有人篡改令牌。
但是,我如何在客户端做到这一点。 我可以解码JWT令牌并查看头部,有效载荷和签名。 但是,如何在客户端验证签名? 是否有这样的库,如何将公钥传输给客户端?
如果我不验证签名,我怎么知道该令牌没有被篡改?
I was making a javascript client that connects to an Api using JWT tokens. On the server side there are no problems, I can create the token sign it and later verify the signature en thus ensure that nobody tampered with the token.
But how do I do this on the client side. I can just decode the JWT token and see the header, payload and signature. But how do i verify the signature at the client site? Are there libraries for this, how do I transfer the public key to the client?
If I do not verify the signature how can I know the token is not tampered with?
最满意答案
如果我不验证客户端的签名,我如何确保令牌确实来自服务器。 也许中间有人正在改变令牌
签名验证不会避免Man In The Middle攻击 。 即使使用有效令牌,攻击者也可以嗅探频道捕获凭证或更改消息
使用SSL / TLS频道(https)
如果我不验证签名,我怎么知道该令牌没有被篡改?
由TLS可信服务器提供的令牌可能是有效的(它可能已在本地存储中被更改)。 您可以验证签名。 此操作通常在服务器端完成(请参阅@sakuto答案),但您可以在浏览器中完美地完成此操作
但是,如何在客户端验证签名?
这些是步骤
从受信任的服务器下载公钥 从JWT提取签名并对其进行解码(base64url) 使用加密库验证数字签名我建议使用Webcrypto。 在这里查看RSA导入密钥的一个验证示例: https : //github.com/diafygi/webcrypto-examples/blob/master/README.md#rsassa-pkcs1-v1_5
if I do not validate the signature at the client side how can I ensure that the token is indeed from the server.? Maybe there is somebody in the middle who is changing the token
Signature validation does not avoid a Man In The Middle attack. An attacker could sniff the channel to capture credential or alter messages even using valid tokens
Use a SSL/TLS channel (https)
If I do not verify the signature how can I know the token is not tampered with?
A token provided by a TLS trusted server is probably valid.(it could has been altered in local storage). You can validate the signature. This operation is usually done in server side( see @sakuto answer), but you can do it in the browser perfectly
But how do i verify the signature at the client site?
These are the steps
Download the public key from a trusted server extract the signature from JWT and decode it( base64url) verify the digital signature using a cryptographic libraryI suggest to use the Webcrypto. See an example of RSA import key an validation here: https://github.com/diafygi/webcrypto-examples/blob/master/README.md#rsassa-pkcs1-v1_5
更多推荐
发布评论