Can I create data interaction between Server and Client with JWT, which use the same "secret"?

139 views Asked by At

I try to create a Web application with JWT:

If a user send a request the server, I can run the process on the server and send the data back to the browser in a web token, that brings me to the question:

How can I verify this server response in the browser and send a new request to the server by using JWT with a secrete that can be accept from the server?

On the server the JWT from the browser request should be verify.

My consideration is to create a JWT on the client with the same "secret" but this is readable for attackers, because it is possible to read the source code (developer console).

Does there exist an way?

//Create request JWT
Request 1 --> {head: ...; data:..., secrete: secret}
//Request should be checkted on the server (secrete)  
// create a Resonse JWT and send back to the Client
Resonse 1 --> {head: ...; data:..., secrete: secret}
//Client verify the Respons JWT by the secrete
1

There are 1 answers

4
pedrofb On BEST ANSWER

Keep secret the private keys. Sending them along the net is a dangerous solution because if they are stolen break the full system. You can use an assymetric RSA key pair instead of a symmetric. The JWT is signed with the private key and verified with the public

In the usual scenario, when user is not identified, the server requires credentials to user in the browser, and issues a new JWT token. The client application in the browser include the JWT token in subsequent requests to authenticate. The server verifies token signature.

You propose that the browser also issue JWt tokens as a form of authentication. Consider the following:

  • you will need an assymetric key pair
  • generate the keys in the browser, do not send the private key by network
  • keep the key safe: I suggest using the native webcryptography api, because unlike any other cryptographic library, allows to generate and use keys without exposing the content, ie can not be stolen
  • send the public key to server and associate it with the user's account