I understand the difference between symmetric and asymmetric keys. I understand that the keys are used to calculate the signature, and then verify them. However, diving a little deeper, I would like to understand a little more that I have problems finding on the Internet.
Are the keys provided to consumers to verify the content? Wouldn't that give consumers the ability to modify the contents of the JWT if symmetric keys are used?
When asymmetric keys are used, is it a signature calculated using a private or public key? Is the consumer a public / private key?
thanks
, JWT, ( ).
( JWT, ) . / , out_of_band (.. , , ).
JWT (JWS), , (/), , base64. Secure Socket Layer (SSL). , . , , , trusted--, , JWS "", , . JWT JWE Json Web Token Encrypted. JWE .
No one will encrypt the JWT payload. It's all about signature! RSA or ECDSA signatures (both asymmetric) can only be verified using a common key, for signatures with a symmetric signature you will need an authentication service.
The most common JWT signing algorithms:
HMAC + SHA256 RSASSA-PKCS1-v1_5 + SHA256 ECDSA + P-256 + SHA256
see more https://tools.ietf.org/html/rfc7518#section-3
Source: https://habr.com/ru/post/1609890/More articles:Android Device Monitor не может получить доступ к SDK - androidThe name CollapsingToolbarLayout disappears - androidHow to change the color of the focus style? (watchOS 2) - watchkitAllow identical empty methods in ReSharper - c #Gradle dependencies: what's the difference between a compilation project and a compilation name? - androidCall kernel32 ReadProcessMemory in Go - goSet the color of WKInterfacePicker (text or outline) - iosRunning NUnit tests in an ASP.NET 5 project (in VS Test Explorer) - asp.net-coreWhat does the sendBroadcast method of the LocalBroadcastManager class return? - androidPolybase creates external data source giving syntax error - azure-sqldwAll Articles