No, you can not change the payload without making it invalid. That’s the point of a jwt token, the payload can not be modified. The third part of the token is an encrypted hash of the first two parts.
if you change the payload, you need to regenerate part 3 (the signing). jwt.io does this with their own secret.
to validate a jwt token, you need the token and the secret. you can then decrypt the signature and and check the hash. other validation is may be done on the payload (once the signature is verified) such as the issuer.
there are two common ways to validate the signature.
1) you call the issuer with the jwt token, and it says if valid
2) you have a copy of the secret and can verify yourself.
Participant
1861 Points
2836 Posts
a quick jwt question
Apr 21, 2020 01:46 PM|EnenDaveyBoy|LINK
if i can change the payload of the jwt without it affecting any validation how is it considered secure?
All-Star
58174 Points
15647 Posts
Re: a quick jwt question
Apr 21, 2020 02:38 PM|bruce (sqlwork.com)|LINK
No, you can not change the payload without making it invalid. That’s the point of a jwt token, the payload can not be modified. The third part of the token is an encrypted hash of the first two parts.
Participant
1861 Points
2836 Posts
Re: a quick jwt question
Apr 21, 2020 02:53 PM|EnenDaveyBoy|LINK
but on jwt.io i have just entered a jwt and changed the payload section and it validated
i did the same on debugging and it still returned the new payload value
(and it wasn't using none in the header)
All-Star
58174 Points
15647 Posts
Re: a quick jwt question
Apr 21, 2020 06:00 PM|bruce (sqlwork.com)|LINK
if you change the payload, you need to regenerate part 3 (the signing). jwt.io does this with their own secret.
to validate a jwt token, you need the token and the secret. you can then decrypt the signature and and check the hash. other validation is may be done on the payload (once the signature is verified) such as the issuer.
there are two common ways to validate the signature.
1) you call the issuer with the jwt token, and it says if valid
2) you have a copy of the secret and can verify yourself.
Participant
1861 Points
2836 Posts
Re: a quick jwt question
Apr 21, 2020 08:03 PM|EnenDaveyBoy|LINK
Thanks got it all sorted, appriciated the info.