レッスン 4
Common JWT Mistakes 日本語ガイド
日本語の jwt common jwt mistakes ガイド: Avoid common JSON Web Token validation and handling problems.
このコンテンツはまだ日本語で用意されていません。ローカライズが完了するまで English 版を表示しています。
JWT bugs often come from treating a compact token as if it were a trusted session record. The format is simple, but the validation rules matter.
Trusting decoded payloads
The payload is readable JSON. Anyone can create a token-shaped string with arbitrary fields. Never grant access just because a decoded payload contains admin: true or a familiar sub.
Ignoring audience and issuer
A token issued for one API should not automatically work for another. Always check iss and aud according to your identity provider and service boundary.
Accepting unexpected algorithms
Applications should allow only the algorithms they expect. Algorithm confusion bugs happen when a verifier accepts a header value that changes how signatures are checked.
Mishandling expiration
Check exp against the current time using seconds, not milliseconds. Also decide how much clock skew your system allows, especially across distributed services.
Leaking tokens
JWTs are often bearer credentials. If someone can use the token, they may act as the subject until it expires or is revoked. Avoid putting tokens in logs, screenshots, issue trackers, or analytics events.