1
votes

I am new to JWT and hence trying to understand the intricacies and expectations when using JWT. In my case, I own the micro-service generating the JWT tokens. JWT supports RS256 and HS256 mechanisms. From what I understand, in case of RS256, I distribute the public key to my client. In case of HS256, I distribute the secret to my client.

Assuming I give access to either of these to my client, what is the expectation from the client? Should the client treat the token I passed back to them as immutable and they just send me the exact token back in the subsequent API calls? Or is it recommended/ okay for them to mutate the token and create a new one, for e.g. by changing things like audience in the token payload, and then for my server to verify the newly passed token? My server should be able to verify both tokens, but I don't know which is the recommended approach. If the recommended approach is for my client to not mutate the token, why do I need to distribute the keys to the client in the first place?

1

1 Answers

0
votes

Do not distribute the key to the client. The client should not be able to modify the JWT access token. It should treat the token as opaque.

Only the resource server (exposing the API) that accepts the token should verify the signature.

In OAuth2, the client is the application getting the access token and using it to call an API server. It should not care about the token as long as it works to call the API.

The authorization server authenticates the user, gets the user's consent and issues the token to the client.

The client then uses the token to call the resource server (API) with the token in the Authorization header.

In your case, the authorization server and resource server may be the same, but they should not share signing keys with the client.