I try to create a Web application with JWT:
If a user send a request the server, I can run the process on the server and send the data back to the browser in a web token, that brings me to the question:
How can I verify this server response in the browser and send a new request to the server by using JWT with a secrete that can be accept from the server?
On the server the JWT from the browser request should be verify.
My consideration is to create a JWT on the client with the same "secret" but this is readable for attackers, because it is possible to read the source code (developer console).
Does there exist an way?
//Create request JWT
Request 1 --> {head: ...; data:..., secrete: secret}
//Request should be checkted on the server (secrete)
// create a Resonse JWT and send back to the Client
Resonse 1 --> {head: ...; data:..., secrete: secret}
//Client verify the Respons JWT by the secrete
Keep secret the private keys. Sending them along the net is a dangerous solution because if they are stolen break the full system. You can use an assymetric RSA key pair instead of a symmetric. The JWT is signed with the private key and verified with the public
In the usual scenario, when user is not identified, the server requires credentials to user in the browser, and issues a new JWT token. The client application in the browser include the JWT token in subsequent requests to authenticate. The server verifies token signature.
You propose that the browser also issue JWt tokens as a form of authentication. Consider the following: