Skip to content
This repository was archived by the owner on May 3, 2023. It is now read-only.

Why not HMAC? #3

Answered by BRAVO68WEB
JonasSchweigler asked this question in Q&A
Why not HMAC? #3
@JonasSchweigler JonasSchweigler
Jul 14, 2022 · 2 comments
Answered by BRAVO68WEB Return to top
Discussion options

JonasSchweigler
Jul 14, 2022

You must be logged in to vote
Answered by BRAVO68WEB Jul 14, 2022

HI @JonasSchweigler ,

Using HMAC type Keys for JWTs makes them vulnerable and easy to manipulate as its just base64 encryption.

Testing it out ...

  • Generate a JWT like eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Payload here -

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

  • Now I manipulated the Payload a bit
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODEyMzEyMyIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMn0.ZVySjZDGuGci28UgGDSorzrkxcnHWBeC5DGevLNLj-E

Payload here -

{
  "sub": "12345678123123",
  "name": "John Doe",
  "iat": 1516239022
}

View full answer

Replies: 2 comments

Comment options

BRAVO68WEB
Jul 14, 2022
Maintainer

You must be logged in to vote
0 replies
Answer selected by JonasSchweigler
Comment options

JonasSchweigler
Jul 14, 2022
Author

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
question Further information is requested
2 participants
@JonasSchweigler @BRAVO68WEB