Spring's default OAuth JWT flow (using client_credentials grant) is as follows:
- Launch the Auth Server (AS)
- Launch the Resource Server (RS)
- At startup the RS requests the tokenKey by calling
GET /oauth/token_key
using Basic Auth
- At startup the RS requests the tokenKey by calling
- The AS returns a PUBLIC KEY using RS256 (SHA256withRSA)
- Some time later, the Client requests an accessToken by calling
GET /oauth/token
using the client_credentials grant - The AS returns a JWT accessToken containing a JWS signature
- The Client sends the JWT as a Bearer token to the RS
- The RS uses the tokenKey that it received from the AS at startup to verify that the JWT accessToken came from the AS. This is where I get confused...
Is this secure? Why would a public cert be used rather than a shared secret key? Couldn't a hacker easily obtain the public key and sign their own valid JWT accessToken? How does the usage of the public key cert and the JWT signature work together to verify that the sender was actually the Auth Server and not an attacker?
Any insight would help.