Reputation: 840
JWT with RSA public and private key
I don't understand why I should use the public key in signing JWT. The private key is there so that the JWT token cannot be forged, yes? But why additionally sign it with a public key? Are there any benefits? Because I don't understand it at all. After all, a JWT signed with a private key can be read without the public key. What is this public key for?
Upvotes: 4
Views: 6785
Answers (1)
Reputation: 391
Signing a JWT means you take the cleartext, signing it with a key - either the private key from an RSA pair or a symmetric key, then add the signature to the JWT. The JWT itself is still readable without decrtypting the signature. But someone with the key can decrypt the signature and confirm the contents match the cleartext.
The advantage of using RSA over symmetric key is that anyone can verify the signature without them having to have a secret key. You can either pass the public key to the JWT recipient over a side channel, or if using OAuth2 it provides a URL to access public keys.
You would use the public key for encrypting, not signing. You encrypt with the recipient's public key so that only the recipient can decrypt it.
Upvotes: 5
Related Questions
- java-jwt with public/private keys
- JWT Private / Public Key Confusion
- How to do a Secure Authorization with RSA, AES and JWT?
- How can I create a JWT with RSA256 algorithm and a private key?
- Using JWT Token a Public Key
- JWT Using Asymmetric Encryption
- JWT token - Passcode for private key
- Nimbus JOSE JWT Encryption with RSA, Private and Public Key
- JWT: jwtk/jjwt with public/private keys
- JWT RS256: Is it safe to fetch public key over https?