JWT.io is verifying the token based on empty secret and saying signature is verified
I am totally new to this, so please bear with my question if it's utterly stupid. I am learning how to verify signature using https://jwt.io
The following is what I am doing
Generated Public/Private Key Pair
Private Key
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4A6A48288A531DCA
m2glcvku6rdV8z0QBsBc3Hc72vG4NN3wIPnqdC47FTA3y9WiD7Ukh4m3ZpL2mraz
7PSblIe8ob/aaG9TYViIb4QRYZFg8z3jR6WeNEhC2EbC2CwkSSH3ug8ViQ+1i8d1
kMnQDK1i/s0BZvxlhKPuSy2kOIjelWctkDHvJyvU/WQ=
-----END EC PRIVATE KEY-----
Public Key
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHpqkegB/A/12vqfApHOaFXaJcHkyhNw1u9XnZe2+hiDT698U4c3iet5VyTo3D1DOe7Xi5dG07UorsMvWCmSbvU=
I used this website to generate ECDSA-256 pair of keys with passphrase as H2
Create a JSON Web Token (JWT)
I used http://jwtbuilder.jamiekurtz.com/ to generate the token
I used the private key to sign the JWT. The following is the token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJpdCIsImlhdCI6MTU4Nzc1MjM3NCwiZXhwIjoxNjE5Mjg4Mzc0LCJhdWQiOiJodHRwczovL3d3dy5oYXJpdC5kZXYiLCJzdWIiOiJjb250YWN0QGhhcml0LmNvbSIsIkdpdmVuTmFtZSI6Ikhhcml0IiwiU3VybmFtZSI6IkhpbWFuc2h1In0.pmvGfBXH4603YMGYDB6qOXlQjhfdPulvbODrK70ihS0
Verify
I go to the website https://jwt.io and below is the video of what I tried
Question
How JWT is verifying and telling it as a valid signature when the secret is empty. I have not even provided the secret yet.
What am I missing?
When you paste a token on the left side and then change the secret or key in the input field in the right column, a new signature is calculated and then automatically verified. And the secret can also be empty, not advisable but possible.
Please observe what happens to the signature part of your token in the left column. You'll notice that it changed!
This often leads to misunderstandings, people asked here why their token was verified with a given secret, but their API said it's invalid. But they didn't notice that the signature was recalculated when they entered the secret.
If you want to check if the token can be verified with a given secret, you always need to first paste the secret into the input field in the right column (under VERIFY SIGNATURE) and then paste the token to the left column.
- Why are iframes considered dangerous and a security risk?
- Secure Google Cloud Functions http trigger with auth
- How do I get the currently loggedin Windows account from an ASP.NET page?
- Error Importing SSL certificate : Not an X.509 Certificate
- Full text search on encrypted data
- It is necessary to send the JWT token from the browser page to the server
- Is it possible to use double @ in an email address?
- How to replicate the RuntimeDefault seccompProfile in Kubernetes to run in Docker?
- Difference between processes running in kernel mode and running as root?
- Why is it okay to transmit authentication/session cookies over plaintext?
- How to handle .env.local in a next js typescript file?
- How does Maven 3 password encryption work?
- Do we need encrypt session id before saving it into database
- Any point in using a paid threat intelligence service over Google's Lookup API for detecting malicious URLs?
- How to securely update configuration for root password in yocto?
- how to secure and encrypt setting.xml paswords file in maven?
- How to convert a PKCS#8 encoded RSA key into PKCS#1 in Java?
- Vector securely erasing its memory
- How to safely run user-supplied Javascript code inside the browser?
- curl - Is data encrypted when using the --insecure option?
- ZAP Dynamic SSL certificate option is not available
- how to implement the Eurion constellation security measure
- How can I sanitize user input with PHP?
- Security threats when using bar() vs bar(void)
- Is exposing a session's CSRF-protection token safe?
- is electron's `safeStorage` for passwords and login credentials?
- Encrypting/decrypting some file types with Rijndael 256 (CakePHP Security library) garbles contents
- Named Pipe security problem on some Windows clients
- Best way to save authentication token?
- Azure Function failling with error: The username or password incorrect: C:\host\LogFiles\Application\Function\Host