JWT Keys - Asymmetric and Symmetric

n00b picture n00b · Oct 2, 2015 · Viewed 12.4k times · Source

I understand the difference between symmetric and asymmetric keys. I understand that the keys are used to calculate the signature and then verify them. However diving a little deeper, I'd like to understand a bit more which I'm having trouble finding online.

Are the keys given to the consumers to verify the contents? Wouldn't that give consumers the ability to change the JWT contents if symmetric keys are used?

When asymmetric keys are used is the signature calculated with the private or public key? Is the consumer given the public/private key?

Answer

Hans Z. picture Hans Z. · Oct 2, 2015

Symmetric keys are only to be used in a peer-to-peer way so it would be pointless for the receiver to modify JWTs for which only he and the sender have a shared key (and he is the intended recipient).

Asymmetric key signatures (in JWTs as well as in general) are produced by the sender with the private key and verified by the receiver with the public key. The consumer/receiver is given only the public key which happens out_of_band (i.e. through another means of communication than the one you use to exchange the secured data).