'Can a JWT produced with RS256 be decoded by the jwt.io website?

recently I made my first Express server and added user authentication using jwt. Now I'm looking for a way to encrypt that jwt so that users will not be able to see the payload in the https://jwt.io website.

Does anyone know if this encryption algorithm will prevent the users from seeing the payload without the public / private key?

javascriptnode.jsexpressjwt


Solution 1:[1]

RS256 uses digital signature to ensure Integrity, Authenticity, and Non-repudiation on the produced token. It does not ensure Confidentiality.

If you want to use JWE (JSON Web Encryption) with JWT you can. And since you are both the issuer and recipient of the token I would suggest to use symmetric encryption. Actually you may not use asymmetric crypto because anyone with the possession of the public key would be able to encrypt and you cannot ensure you are actually the one who originally produced the JWE.

You need an implementation/library that supports JWE formatted JWTs. That would give you Integrity, Authenticity, and Confidentiality. e.g.:

npm install jose@4

To encrypt use EncryptJWT

import * as crypto from 'crypto'
import { EncryptJWT } from 'jose'

const secretKey = crypto.randomBytes(32) // you would pass your own 32 byte secret as a Buffer

const jwt = await new EncryptJWT({ 'urn:example:claim': true })
  .setProtectedHeader({ alg: 'dir', enc: 'A256GCM' })
  .setIssuedAt()
  .setIssuer('urn:example:issuer')
  .setAudience('urn:example:audience')
  .setExpirationTime('2h')
  .encrypt(secretKey)

This produces a JWE-formatted JWT like so that, without the knowledge of secretKey, cannot have its payload decrypted.

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..Wz7DdwAPlbq4cYxn.OMfWJTMuyfLcdN4g541KfcDFKaL5y2bBaFIxuC_-mVa7YLE4M7bVfiO9R2umvpD_acGj5l3gvxulcRnHzBMeRpm4qgbJuWVdA1fYUOguDs1h2xtesZ_9iZUEtcu3hEJ1wVM46ad-9dPebe_VaWwe4XVU5GM.7lDflVFg_Qm3N88xX8Dy1A

To decrypt and validate the JWT Claim Set use jwtDecrypt

import { jwtDecrypt } from 'jose'

const { payload, protectedHeader } = await jwtDecrypt(jwt, secretKey, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience'
})

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

React Router with optional path parameter

How to dynamically update google recaptcha sitekey?

How to dynamically update google recaptcha sitekey?

Remove duplicate in a string - javascript

Remove duplicate in a string - javascript

Searching a string for missing letters of the alphabet in javascript

Searching a string for missing letters of the alphabet in javascript

Searching a string for missing letters of the alphabet in javascript

Find an element in DOM based on an attribute value

Redirecting html page with javascript

Find an element in DOM based on an attribute value

Find an element in DOM based on an attribute value

Redirecting html page with javascript

How to find x and y coordinates of a button while using keyboard navigation?

How to find x and y coordinates of a button while using keyboard navigation?