Reputation: 1722
Validating jwt on native platforms
I'm building an native iOS app, it uses OAuth 2.0/OIDC for authentication and authorisation. The auth server is identity serverver 4.
By going thru documents such as https://www.rfc-editor.org/rfc/rfc8252 I have established that the correct flow to use is "authorisation code" flow even though we own the app, the auth server and the resources. I also learned that we need to use a secure browser such as SFSafariViewController and that we need to use PKCE and remember to use the "state" key in the request and validate on return.
My problem is validating the jwt on the iOS device. I use https://github.com/kylef/JSONWebToken.swift as suggested on jwt.io
To validate the validity of the jwt we need to check that it was is deed signed by our auth server. The server signs using an async rs256 key and exposes the public key on a endpoint. JSONWebToken.swift does not support rs256 and I have not been able to find any iOS library that does, so how to other people validate jwt on iOS devices? I guess we could swith to HS256 which is supported by JSONWebToken.swift but this is a sync algorithm and would require us to store the key on the device which would not be safe.
How to solve this issue, surely I'm not the only one having it...
Upvotes: 4
Views: 177
Answers (1)
Reputation: 3593
You could use the Vapor package at https://github.com/vapor/jwt which does support RS256, but you'll need to fetch the JWK yourself.
Upvotes: 1
Related Questions
- Verify signature of JWT token using iOS swift4
- How to manually validate a JWT signature using online tools
- Verify JWT Token Signature
- JWT verify signature using HMACSHA256 and show "Invalid Signature" by Swift
- JWT signature verification
- Validate JWT token with RS256 or RS512 with Swift iOS
- Encoded JWT using PKCS8 RSA256 algorithm on jwt.io but not in application
- How to validate or verify JWT Signature?
- JWT: Verify Signature Secret Format.
- JWT Signature Validation