When I started learning about JSON Web Tokens, there were some things that were straightforward to understand — and some concepts that felt like "h...
For further actions, you may consider blocking this person and/or reporting abuse
Awesome! Very short, undestandable, and informative!
This article really is a big help to me. So, I enrolled on this site to thumb up your article!!
This is fantastic, great work! The combination of hashing plus encryption makes for a lot of confusion for folks getting started down this road, regardless of dev experience.
One thing to note on the algorithm in the header ... I would recommend including that in the configuration of the app that is doing the validation. So instead of asking the token “how should I verify your signature?” the application checks that the header matches the signature type it is expecting, rejects the token if it’s different, then uses the key it has to verify.
Great note, thanks Josh! I will update the article to reflect this. And that's generally done by the SDK / library you'd be using to validate, yes?
Generally, yes. You should be able to tell that library “hey, I only want to validate RS256 tokens” and the library should reject everything else.
Great article, really fantastic. But I just have a small doubt. I don't think we can decrypt the signature obtained in JWT using the public key provided by the authentication server.
Please let me know if I am wrong.
The purpose of the public key is indeed to decrypt the signature so that the client can validate the token by comparing the hashes. The private key is used by the authorization server to sign tokens.
This is a very old response now, but for others who hit this page - there is a confusion of terms here. The content isn't encrypted, but rather cryptographically signed. mritunjay is correct that you cannot decrypt with a public key, but you can verify a cryptographic signature with a public key.
Really, fantastic explanation, especially for juniors and students (almost like me), thank you!
Dear Author @kimmaida, one little note
This typo can lead mind-reader to the wrong understanding. Could you please correct?
Great catch, thank you so much! This has been corrected.
Your post was stolen by another person and posted here:
freecodecamp.org/news/how-to-sign-...
Thank you so much for bringing this to my attention!
The tutorial is great, it explains a lot that is bypassed in other postings.
Thank you!
Anyway I have some doubts regarding the validation procedure: does it really make sense to reconstruct the public key from its constituents as explained?
Why not take the certificate ("x5c" in the JWKS), check its validity and only then (if valid) retrieve the public key from it (which is easier)? If done in the way proposed in the tutorial, the certification of the public key is not checked which could e.g. mean that I would use an expired or not yet valid public key as valid. One could also check the issuer of the certificate.
Google even rank the article before the original!
@kim
So true about the draw the owl thing and thank you for the post!