创建没有签名的 JWT 令牌?
Create JWT token without signature?
是否可以在没有签名的情况下创建 JWT 令牌?
我们有一种情况不需要签名,但需要令牌的所有其余部分。那么是否可以在没有签名的情况下创建 JWT 令牌?
根据文档,您通过以下方式创建令牌:
var token = jwt.sign
命令,所以这有点暗示秘密是强制性的。
根据RFC 7519:
To support use cases in which the JWT content is secured by a means
other than a signature and/or encryption contained within the JWT
(such as a signature on a data structure containing the JWT), JWTs
MAY also be created without a signature or encryption. An Unsecured
JWT is a JWS using the "alg" Header Parameter value "none" and with
the empty string for its JWS Signature value, as defined in the JWA
specification [JWA]; it is an Unsecured JWS with the JWT Claims Set
as its JWS Payload.
既然你没有提到你使用的是哪个库,我想你正在使用 from auth0。虽然我还没有测试过,但似乎将 algorithm 设置为 none,会导致“没有数字签名或 MAC 值”:
var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'none'});
是否可以在没有签名的情况下创建 JWT 令牌?
我们有一种情况不需要签名,但需要令牌的所有其余部分。那么是否可以在没有签名的情况下创建 JWT 令牌?
根据文档,您通过以下方式创建令牌:
var token = jwt.sign
命令,所以这有点暗示秘密是强制性的。
根据RFC 7519:
To support use cases in which the JWT content is secured by a means other than a signature and/or encryption contained within the JWT (such as a signature on a data structure containing the JWT), JWTs MAY also be created without a signature or encryption. An Unsecured JWT is a JWS using the "alg" Header Parameter value "none" and with the empty string for its JWS Signature value, as defined in the JWA specification [JWA]; it is an Unsecured JWS with the JWT Claims Set as its JWS Payload.
既然你没有提到你使用的是哪个库,我想你正在使用 from auth0。虽然我还没有测试过,但似乎将 algorithm 设置为 none,会导致“没有数字签名或 MAC 值”:
var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'none'});