JWTs are signed so that users cannot alter their contents even though the data
can be viewed. Using the OPs example, suppose a user is authenticated and is
given a JWT with JSON
{ service1: true, service2: true, service3: false}
which shows the services this user can access. Since the JWT is signed, the
user could not
1. Decode the token
2. Change false to true for service3
3. Resign the token (can't do this without application secret, and this needs
to happen or JWT verification will fail server side)
Therefore, if you give that token to the user, there is no way they can get
access to service3 (assuming you give access to service3 based off the JWT).
As usual, you should use https to prevent others from getting this user's token
so they cannot impersonate the user (but this is an issue independent of JWT).
However, this still may not be a good idea since the user can look into the
token and learn about your infrastructure - if they didn't know about service3
before, now they would. So in general, one should use caution when deciding
what should be included in the JWT.
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/29e0507b-984a-464b-9d02-f4ad58db4a8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
