JWT is easily breakable

[gotoAndBliss]

rsa_private = OpenSSL::PKey::RSA.generate 2048
rsa_public = rsa_private.public_key

token = JWT.encode payload, rsa_private, 'RS256'

decoded_token = JWT.decode token, rsa_public, true, { algorithm: 'RS256' }

Oh so fancy! RSA protected?

JWT.decode token, 'whatever_kind_of_string', false

Works for every single encryption value offered by JWT

Good luck guys!

[ab320012]

The values are signed to prevent modifying not encrypted check out this article https://stackoverflow.com/questions/454048/what-is-the-difference-between-encrypting-and-signing-in-asymmetric-encryption

[dklotz]

@gotoAndBliss First of all you seem to be confusing signing and encryption. The JWT standard (not only this library) only does the former. The tokens themselves (header, payload and signature) are just Base64-encoded for transport, never encrypted (just e.g. paste any JWT into the box on jwt.io to see the plaintext). There is a second standard (JWE) that does encryption, but that is for different use cases and is not handled by this library AFAIK.

Secondly, in the second snippet you provided (... 'whatever_kind_of_string', false), you explicitly set the verify flag to false, so of course the signature is not verified. What else did you expect to happen in that snippet?

[SampsonCrowley]

Why is this even still open? signing != encrypting

[SampsonCrowley]

if you need encryption, use ruby-jwe and pass the JWT as the encryption payload