Reputation: 36411
When using cookies they are stored on the server and compared to the ones coming in the request from a client. What are the JWTs compared to? are they being decoded into their components?
Upvotes: 3
Views: 1307
Reputation: 5664
A JSON Web Signature (JWS) JWT is not "compared to" anything; rather it is validated using a cryptographic key. Various algorithms are supported. The system validating the JWT must have access to the appropriate key for validating a particular JWT.
For symmetric algorithms (HS{256,384,512}
) the JWS object comprising the token is validated using the HMAC construction with the SHA-2 cryptographic digest, keyed by a shared secret, i.e. the same key used to produce the token must be used to validate it.
For asymmetric algorithms ({RS,ES,PS}{256,384,512}
) the JWS object comprising the token is validated using the RSASSA-PKCSv1.5 (RS
), ECDSA (ES
) or RSASSA-PSS (PS
) algorithms with the SHA-2 cryptographic digest, using the public key corresponding to the private key used to sign the JWS.
The process of validating a JWS (a JWT is always serialized using the JWS compact serialization) is defined in the JWS Internet-Draft. In brief, the token is split into its three parts: header (a base64-encoded JSON object), payload (base64-encoded octet string; for JWT this is a JSON JWT claims object) and signature (base64-encoded octet string). The header indentifies the algorithm used, and this algorithm is used to verify the signature, which is computed across ASCII(BASE64URL(UTF8(Header)) || '.' || BASE64URL(Payload))
(this signing input is exactly the serialised JWT up to but not including the second period.)
Upvotes: 3