Having doubts about a concept applied in the sample code named "JSON Web Token (JWT) with RSA encryption"
for reference see: http://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-rsa-encryption
The sample code delivers an RSAEncrypter
class which is based on use of the public key, as well as an RSADencrypter
class which use the opposite, a private key.
In a more practical view, I cannot understand why the JSON Web Token was generated this way, as the encrypted information usually will be sent to a client using the JWE format. In parallel, the client extracts the public key from a shared source, like a digital certificate store, or JWK store and then decrypts the information from the JWE data.
My question: Why does the client side use a private key? Why not use the private key at the Encrypter and the public key at the Decrypter class?
Clarifications about the conceptual side of this RSA sample code are welcome.