Reputation: 10095
Confusion relating to public and private keys and JWT
I'm trying out JWT (JSON Web Tokens) in a Go web service. Here's what I've done so far:
package jwt
import(
"fmt"
"net/http"
"github.com/gorilla/mux"
"github.com/dgrijalva/jwt-go"
"io/ioutil"
)
var privateKey []byte
var publicKey []byte
func JSONWebTokensHandler(w http.ResponseWriter, r * http.Request){
// Create the token
encodeToken := jwt.New(jwt.SigningMethodHS256)
// Set some claims
encodeToken.Claims["Latitude"] = "25.000"
encodeToken.Claims["Longitude"] = "27.000"
// Sign and get the complete encoded token as a string
tokenString, err := encodeToken.SignedString(privateKey)
decodeToken, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return publicKey,nil
})
if decodeToken.Valid {
fmt.Fprintf(w,"Lat: %s, Lng: %s",decodeToken.Claims["Latitude"],decodeToken.Claims["Longitude"])
} else {
fmt.Fprintf(w,"Couldn't handle this token: %s", err)
}
}
func init(){
privateKey,_ = ioutil.ReadFile("demo.rsa")
publicKey,_ = ioutil.ReadFile("demo.rsa.pub")
r := mux.NewRouter()
r.HandleFunc("/jwt",JSONWebTokensHandler).Methods("GET")
http.Handle("/", r)
}
Now if my understanding is correct, A token that is encoded using a private key can be decoded using the public key. That is what I've presumed in the code above however when I run the code I get the error:
Couldn't handle this token: signature is invalid
If I use the same key for encoding and decoding, then the code works.
What I'd like to know is, is there something wrong with my understanding or in the code?
Upvotes: 1
Views: 2134
Answers (3)
Reputation: 371
Very interesting, since I have a similar problem, when I have micro service and a client app that need to verify the token that comes from another internal server, so if you advice using HMAC over RSA them that means that I need to put the private key in both micro service and Client App? that wouldn't be a serious security hole?
Upvotes: 0
Reputation: 597
You are using jwt.SigningMethodHMAC. Therefore, you are signing using HMAC, the signature is the token ciphered by a symmetric key (secret).
You shall use: jwt.New(jwt.SigningMethodRS256) to sign with an asymmetric key-pair.
Upvotes: 3
Reputation: 691625
The JWT isn't signed using an asymmetric cipher like RSA. It uses a HMAC, which uses a single, secret key. Indeed, the point here is not to prove to someone else that you signed the token. It's to prove to yourself that you signed it, and thus forbid anyone who doesn't have your secret key to modify the token.
Upvotes: 3
Related Questions
- JWT Private / Public Key Confusion
- Google OpenID Connect Public Keys
- Go and JWT - Simple authentication
- To create JWT where to provide public key in this implementation
- Golang package jwt-go with rsa key. How to put the public key and how to get it from the token?
- how to verify JWT signature?
- How to manage google app engine service account private keys?
- How do I store the private key of my server in google app engine?
- Google Cloud Endpoints and JWT
- Google service account authorization with JWT in Go