jwt 符号的签名部分为何总是不同, 即使是以相同价值创建的, 也总是不同?
原标题:Why is the signature part of a jwt token always different, even when created with the same values?
jsonwebtoken, v8.5.0
node v10.13.0
npm 6.4.1
If i create a token several times with:
jwt.sign({ user_email: user_email, user_id: user_id, username: username }, RESTFULAPIs )
Question 01:
It seems the first 2 parts of the string are always the same (the base64 encoded header and payload values), but the third part (the signature) is different.
Why is the signature different when the original values are the same?
What I ve Tried:
I have read the signature section at jwt.io/introduction:
To create the signature part you have to take:
the encoded header
the encoded payload
a secret
the algorithm specified in the header
and sign that.
So, as a guess:
Is the signature the result of encrypting the base64 encoded header and payload values using the HS256 algorithm and secret, which in this case is the string RESTFULAPIs, which produces a different result each time it is encrypted, whilst the decoded result is always the same?
Question 02:
The decoded value of the different tokens is always the same, except for an object property called iat. What does that property represent?
{
iat: 1561358034
user_id: "25423537fshsdgA"
user_email: "info@test.com"
username: "bob"
}
{
iat: 1561358156
user_id: "25423537fshsdgA"
user_email: "info@test.com"
username: "bob"
}
Actually, after researching this second question more, I came across this:
The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
Source: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6
问题回答
Per the docs:
Generated jwts will include an iat (issued at) claim by default unless noTimestamp is specified. If iat is inserted in the payload, it will be used instead of the real timestamp for calculating other things like exp given a timespan in options.expiresIn.
So, you could test generating multiple jwts in the same second (which would therefore have the same iat) and verify that the signature is the same. Or, use the noTimestamp option, which would eliminate the iat and therefore make the payloads identical. I don t think this is the recommended way to do it.
But in short, iat is "issued at" as you ve answered yourself, and the payload (and therefore the signature) is going to change every second as the inserted iat changes, per the docs I ve quoted for you.
If you want to have same signature as output every time, you can convert the object you passed in first argument to JSON first (like using JSON.stringify()) and pass that JSON as argument. Then the jwt.sign() method will return same signature every time as iat property is not created by default.
Passing a JavaScript object in jwt.sign() as first argument will return new signature every time. This is because the property iat is added by default in this case by javascript.
