问题描述
据我了解:要检查使用非对称公钥/私钥加密算法创建的JWT的有效性,您需要公钥以及JWT标头,声明(也称为有效负载)和签名. JWT标头和声明可以自由解码,但是如果没有用于验证签名的公共密钥(基于标头&声明并使用私钥创建),就无法对其进行验证.
As I understand it: to check the validity of a JWT created using an asymmetric public/private key encryption algorithm, you require the public key along with the JWT header, claim (aka payload) and signature. The JWT header and claim can be decoded freely but can't be verified without the public key to validate the signature with (which is based on the header & claim and created with the private key).
我的问题是,为什么不将公钥捆绑到令牌的声明有效载荷中呢?这样,任何人都可以检查令牌的有效性,而不必从数据库或文件存储中挖掘公钥?
My question is, why not just bundle the public key into the claim payload of the token. That way anyone can check the validity of the token without necessarily needing to dig up the public key from a database or file store?
推荐答案
您如何知道JWT随附的公钥是真实的?众所周知,攻击者可能已经生成了密钥对,并用私钥对有效负载进行了签名,并在JWT中包含了数据,签名和公钥.您现在拥有的这种东西"无法证明任何事情.
How would you know that the public key delivered with JWT is authentic? For all you know, an attacker may have generated a key pair, signed the payload with the private key and included data, signature and public key in the JWT. This "thing" that you have now doesn't prove anything.
这篇关于为什么为了方便起见,JWT有效负载中没有公钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!