Giter Club home page Giter Club logo

Comments (5)

abatishchev avatar abatishchev commented on June 2, 2024 1

Hi,
In general, to better assist you, please provide the version of the library and the target framework.

But in this particular case, this information is not needed. The second parameter key/keys is an artifact of the past and is used only by symmetric algorithms. Here's the code:

jwt/src/JWT/JwtDecoder.cs

Lines 248 to 255 in 9b9484f

if (algorithm is IAsymmetricAlgorithm asymmAlg)
{
_jwtValidator.Validate(decodedPayload, asymmAlg, bytesToSign, decodedSignature);
}
else
{
ValidSymmetricAlgorithm(keys, decodedPayload, algorithm, bytesToSign, decodedSignature);
}

In case of asymmetric algorithm, the instance of an algorithm holds the certificate object and uses it to validate the signature:

jwt/src/JWT/JwtValidator.cs

Lines 142 to 143 in 9b9484f

if (_valParams.ValidateSignature && !alg.Verify(bytesToSign, decodedSignature))
return new SignatureVerificationException("The signature is invalid according to the validation procedure.");

Hope this helps.

from jwt.

hanselsen avatar hanselsen commented on June 2, 2024

@abatishchev thanks so much.
As I understand correctly, passing the key/keys to the decoding has no effect at all, because it uses the certificate in my algorithm.
I can safely assume that the data is verified during the decoding process? 🙂

I guess where I got confused was that JwtEncoder.Encode expects either a string or a byte[], whereas JwtDecoder.Decode is fine with just the token.
Anyhow, I now have the following:

JwtEncoder.Encode(payload, default(byte[])) and JwtDecoder.Decode(tokenString);

from jwt.

abatishchev avatar abatishchev commented on June 2, 2024

Yes, the 3rd parameter verify controls whether the signature is verified. By default it's true.

To make sure it works, try to malform the signature and run with true. Then run with false.

from jwt.

abatishchev avatar abatishchev commented on June 2, 2024

Some methods's definitions are legacy and there might not not enough overloads indeed. Please feel free to open a PR and add some more. Contributions are always welcome and I try to review and merge them quickly :)

from jwt.

hanselsen avatar hanselsen commented on June 2, 2024

Thanks! The library is very useful.

from jwt.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.