Public and private keys governance in JWT

1
votes

I'm trying to better understand JWT and how to properly use it.

In common JWT use cases (like JWT-based authentication or JWT access token in oauth), does it make sense to verify a JWT token client-side? In particular, I'm asking this to better understand the requirements on the public and private keys that are involved in the JWT signing and encryption. If the clients never need to verify the JWT signature than the server does not need to make its public key available. If this is true, I don't even need a full blown X.509 certificate: a bare public/private key pair or a self signed cert would suffice, right?

So all this boils down to the question: what is the right way to deal with asymmetric keys used in JWT? Do I need a public key infrastructure or is a simple private/public key pair enough?

I understand that JWT specs do not cover this: yet I'm curious to know what the common practices are in real JWT usage.

Of course this question has nothing to do with the certs involved in https: I'm just talking about the keys used in JWT signature and encryption.

1
jwtx509certificate

1 Answers

2
votes

does it make sense to verify a JWT token client-side?

It makes sense if you use the token payload data to perform an operation in client side, and you need to trust the token. If you use the token for authenticate in a server, then let the server verify the signature.

if this is true, I don't even need a full blown X.509 certificate: a bare public/private key pair or a self signed cert would suffice, right?

Do I need a public key infrastructure or is a simple private/public key pair enough?

You can use either a trusted certificate, a self-signed certificate or simply a RSA keypair. Usually is used an autogenerated keypair. But if you do not plan to verify the signature on client, you can just use a HMAC symmetric key (not assymetric