i want to encrypt JWT payload with current methods like symmetric or asymmetric encryption method. my question is that if i use these methods, javascript needs to do any action on my data on client side? or still all parts of encryption and validation will be done on server side? in this article, they say that if you need to encrypt payload, you must to store public key(due to encryption algorithm like RSA or ...). WHY? if i wnat to encrypt payload, why we need to store public key (or any keys) in jwt token? is there any way to encrypt payload symmetricly only on server side? and no javascript needs to access them and manipulate the token?
1 Answers
0
votes
You are misinterpreting the article
To encrypt a JWT for a given recipient you need to know their public RSA key.
This would probably be more clear if it read
To encrypt a JWT for a given recipient so that they can decrypt it you need to know their public RSA key.
This means that if the client wanted to encrypt something to send to you, that you could decrypt, they would only need to know your public key, and you would only need to know your private key. If you wanted to encrypt something that the client could decrypt, you would need the clients public key.
It sounds like you want to encrypt something to send to the client, that they can then send back to you for you to decrypt. Since you are both encrypting and decrypting, no keys need to be sent to the client (unless you use a different key per client, in which case you would need to send them the public key you used so you could figure out which private key to decrypt with).
