I am using "Platform agnostic Security Token" for oAuth in Golang - https://github.com/o1egl/paseto
I am not able to understand, why this is better than JWT even after reading README
My Major Question is:
- Can "token" generated be altered like "JWT" and pass modified or tampered data?
- Can "token" generated using "paseto" be decrypted and viewed like "JWT"?
Paseto library above uses "SET" and "GET" method inside their JSONToken method. Is that how we can verify authenticity of the user?
Sample Code:
symmetricKey := []byte("YELLOW SUBMARINE, BLACK WIZARDRY") // Must be 32 bytes
now := time.Now()
exp := now.Add(24 * time.Hour)
nbt := now
jsonToken := paseto.JSONToken{
Audience: "test",
Issuer: "test_service",
Jti: "123",
Subject: "test_subject",
IssuedAt: now,
Expiration: exp,
NotBefore: nbt,
}
// Add custom claim to the token
jsonToken.Set("data", "this is a signed message")
footer := "some footer"
v2 := paseto.NewV2()
// Encrypt data
token, err := v2.Encrypt(symmetricKey, jsonToken, footer)
// token = "v2.local.E42A2iMY9SaZVzt-WkCi45_aebky4vbSUJsfG45OcanamwXwieieMjSjUkgsyZzlbYt82miN1xD-X0zEIhLK_RhWUPLZc9nC0shmkkkHS5Exj2zTpdNWhrC5KJRyUrI0cupc5qrctuREFLAvdCgwZBjh1QSgBX74V631fzl1IErGBgnt2LV1aij5W3hw9cXv4gtm_jSwsfee9HZcCE0sgUgAvklJCDO__8v_fTY7i_Regp5ZPa7h0X0m3yf0n4OXY9PRplunUpD9uEsXJ_MTF5gSFR3qE29eCHbJtRt0FFl81x-GCsQ9H9701TzEjGehCC6Bhw.c29tZSBmb290ZXI"
// Decrypt data
var newJsonToken paseto.JSONToken
var newFooter string
err := v2.Decrypt(token, symmetricKey, &newJsonToken, &newFooter)
Now, if you see there is code: jsonToken.Set("data", "this is a signed message")
and we can get that value in Decrypt data at the end where newJsonToken
variable is created.
We can get the value of "data" key using: newJsonToken.Get("data")
.
But is above data "verifiable" and can't be tampered or modified on user's end?
Like in JWT debugger at JWT.io, People can tamper data and know the algorithm and pass "modified" data.
Can user do the same with my generated token as well? Can they decode and pass tampered data? or they can't decode data or view actual data at all?