JWT Tokens global + private secret

438 views Asked by At

I'm reading about JWT Tokens recently, and I've got a moment; I've got an idea which seems to be great in my head, but I suspect it's not so great when it comes to the end.

I see people are encrypting tokens with single key for global purpose. What if I'd generate completely new key for every user, join two strings afterwards and use the output for encrypting the token? This would deal with need of creating blacklists for users that shouldn't be having access anymore and so on. What I am missing? Because I'm sure somebody had similar idea to mine, and for some reason it's not widely used. Where am I lost?

1

There are 1 answers

3
pedrofb On BEST ANSWER

JWT are signed (not encrypted) with the private key of the issuer, usually the server. A digital signature identifies the signer and protects the content from alterations.

If you modify the payload of a valid JWT, the signature or create a fake token, the server just will reject it. This is why the server does not need a list of issued tokens, because it can verify cryptographically if a token is trusted

You could create a different key for each user, but is not necessary, because you want to proof that the token has issued by the server to trust in the data contained in payload do just one key is needed