I'm new using the JWT on web-apps. I'm not sure what info should be stored in a JWT, but in my case, I'm saving sensitive user data, such as e-mail and username. I wish to safely secure this info on my JWT.
Using the pyjwt module, I was able to successfully create my tokens. Here is an example of how I've been using it.
import jwt
from datetime import datetime, timedelta
data = {
"user": {}, # Here I would fill with my user data.
"exp": datetime.utcnow() + timedelta(hours=2)
}
jwt.encode(data,"my-super-secret-key", "HS256")
This code above, returns a token where I thought it was encrypted.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7fSwiZXhwIjoxNjMwMzAxMjI4fQ.sF3NeOArV5Mkgz9oemNMA4-RPF-mXKCIkQrlMQPLMV4
Using the https://jwt.io/ JWT checker, I found out that my token was actually being "decrypted" without the use of my-super-secret-key. This made me wonder what was the purpose of the secret key in PyJWT anyways. My guess is that it's just for signing the token.
And how can I actually secure my JWT token? (I've read about JWE, but didn't quite understood it yet, would really appreciate a concise explanation)
A JWT consist of three sections: header, payload and signature. All tree sections will be BASE64 encoded. They are not encrypted.
The algorithm argument to jwt.encode() defines the algorithm used to sign the token. This will prove that the token is authentic and prevent manipulation by the user and a third party.
You can choose within a set of symmetric and asymmetric algorithms:
Symmetric algorithm will create shorter signatures but require a better protection of the key since it has to be stored on every machine involved in issuing and verifying the token.
Asymmetric algorithms will create long signatures, require at least a minimal PKI, but you need to distribute a public key only. The private key remains on the system issuing the tokens.