DEV Community

Cover image for Signing and Validating JSON Web Tokens (JWT) For Everyone

Signing and Validating JSON Web Tokens (JWT) For Everyone

Kim Maida on September 27, 2020

When I started learning about JSON Web Tokens, there were some things that were straightforward to understand — and some concepts that felt like "h...
Collapse
 
euggor profile image
Yevgeny Go

Awesome! Very short, undestandable, and informative!

Collapse
 
jinsooyoun profile image
Jinsoo Youn

This article really is a big help to me. So, I enrolled on this site to thumb up your article!!

Collapse
 
joshcanhelp profile image
Josh Cunningham

This is fantastic, great work! The combination of hashing plus encryption makes for a lot of confusion for folks getting started down this road, regardless of dev experience.

One thing to note on the algorithm in the header ... I would recommend including that in the configuration of the app that is doing the validation. So instead of asking the token “how should I verify your signature?” the application checks that the header matches the signature type it is expecting, rejects the token if it’s different, then uses the key it has to verify.

Collapse
 
kimmaida profile image
Kim Maida • Edited

Great note, thanks Josh! I will update the article to reflect this. And that's generally done by the SDK / library you'd be using to validate, yes?

Collapse
 
joshcanhelp profile image
Josh Cunningham

Generally, yes. You should be able to tell that library “hey, I only want to validate RS256 tokens” and the library should reject everything else.

Collapse
 
mritunjay7497 profile image
mritunjay kumar mani

Great article, really fantastic. But I just have a small doubt. I don't think we can decrypt the signature obtained in JWT using the public key provided by the authentication server.

Please let me know if I am wrong.

Collapse
 
kimmaida profile image
Kim Maida

The purpose of the public key is indeed to decrypt the signature so that the client can validate the token by comparing the hashes. The private key is used by the authorization server to sign tokens.

Collapse
 
mbainter profile image
Mark Bainter

This is a very old response now, but for others who hit this page - there is a confusion of terms here. The content isn't encrypted, but rather cryptographically signed. mritunjay is correct that you cannot decrypt with a public key, but you can verify a cryptographic signature with a public key.

Collapse
 
asap profile image
S.P. • Edited

Really, fantastic explanation, especially for juniors and students (almost like me), thank you!

Dear Author @kimmaida, one little note

SHA-256 is an Asymmetric Key Cryptography algorithm

This typo can lead mind-reader to the wrong understanding. Could you please correct?

Collapse
 
kimmaida profile image
Kim Maida

Great catch, thank you so much! This has been corrected.

Collapse
 
feng_chiu_ff57c61539d8673 profile image
David Chiu

Your post was stolen by another person and posted here:
freecodecamp.org/news/how-to-sign-...
Image description

Collapse
 
kimmaida profile image
Kim Maida

Thank you so much for bringing this to my attention!

Collapse
 
guenthermahr profile image
guenthermahr

The tutorial is great, it explains a lot that is bypassed in other postings.
Thank you!

Anyway I have some doubts regarding the validation procedure: does it really make sense to reconstruct the public key from its constituents as explained?

Why not take the certificate ("x5c" in the JWKS), check its validity and only then (if valid) retrieve the public key from it (which is easier)? If done in the way proposed in the tutorial, the certification of the public key is not checked which could e.g. mean that I would use an expired or not yet valid public key as valid. One could also check the issuer of the certificate.

Collapse
 
feng_chiu_ff57c61539d8673 profile image
David Chiu

Google even rank the article before the original!
Image description
@kim

Collapse
 
yokehman_lai profile image
YokeHman.Lai

So true about the draw the owl thing and thank you for the post!