English 中文(简体)
jwt 符号的签名部分为何总是不同, 即使是以相同价值创建的, 也总是不同?
原标题:Why is the signature part of a jwt token always different, even when created with the same values?
  • 时间:2019-06-24 08:34:58
  •  标签:
  • node.js
  • jwt
jsonwebtoken, v8.5.0 node v10.13.0 npm 6.4.1 If i create a token several times with: jwt.sign({ user_email: user_email, user_id: user_id, username: username }, RESTFULAPIs ) Question 01: It seems the first 2 parts of the string are always the same (the base64 encoded header and payload values), but the third part (the signature) is different. Why is the signature different when the original values are the same? What I ve Tried: I have read the signature section at jwt.io/introduction: To create the signature part you have to take: the encoded header the encoded payload a secret the algorithm specified in the header and sign that. So, as a guess: Is the signature the result of encrypting the base64 encoded header and payload values using the HS256 algorithm and secret, which in this case is the string RESTFULAPIs, which produces a different result each time it is encrypted, whilst the decoded result is always the same? Question 02: The decoded value of the different tokens is always the same, except for an object property called iat. What does that property represent? { iat: 1561358034 user_id: "25423537fshsdgA" user_email: "info@test.com" username: "bob" } { iat: 1561358156 user_id: "25423537fshsdgA" user_email: "info@test.com" username: "bob" } Actually, after researching this second question more, I came across this: The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Source: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6
问题回答
Per the docs: Generated jwts will include an iat (issued at) claim by default unless noTimestamp is specified. If iat is inserted in the payload, it will be used instead of the real timestamp for calculating other things like exp given a timespan in options.expiresIn. So, you could test generating multiple jwts in the same second (which would therefore have the same iat) and verify that the signature is the same. Or, use the noTimestamp option, which would eliminate the iat and therefore make the payloads identical. I don t think this is the recommended way to do it. But in short, iat is "issued at" as you ve answered yourself, and the payload (and therefore the signature) is going to change every second as the inserted iat changes, per the docs I ve quoted for you.
If you want to have same signature as output every time, you can convert the object you passed in first argument to JSON first (like using JSON.stringify()) and pass that JSON as argument. Then the jwt.sign() method will return same signature every time as iat property is not created by default. Passing a JavaScript object in jwt.sign() as first argument will return new signature every time. This is because the property iat is added by default in this case by javascript.




相关问题
How to make Sequelize use singular table names

I have an model called User but Sequelize looks for the table USERS whenever I am trying to save in the DB. Does anyone know how to set Sequelize to use singular table names? Thanks.

What is Node.js? [closed]

I don t fully get what Node.js is all about. Maybe it s because I am mainly a web based business application developer. What is it and what is the use of it? My understanding so far is that: The ...

Clientside going serverside with node.js

I`ve been looking for a serverside language for some time, and python got my attention somewhat. But as I already know and love javascript, I now want learn to code on the server with js and node.js. ...

Can I use jQuery with Node.js?

Is it possible to use jQuery selectors/DOM manipulation on the server-side using Node.js?

How do I escape a string for a shell command in node?

In nodejs, the only way to execute external commands is via sys.exec(cmd). I d like to call an external command and give it data via stdin. In nodejs there does yet not appear to be a way to open a ...

热门标签