Closed kdawgwilk closed 4 years ago
Joken only requires a private key if you call Joken.sign
or simlar functions. You can and should in your use case create a signer with the public key.
This is essential for JokenJwks and we've been using it in production for a while.
Just to be extra sure, I've pushed more tests with that showcase this:
Hope this helps! Be sure not to call generate_and_sign!
with a signer created using only the public keys.
This is mentioned in the docs too: https://hexdocs.pm/joken/assymetric_cryptography_signers.html#content
We have a use case where we have a 3rd party identity provider that generates our JWT tokens and we only want to be able to validate them but not generate them. However, joken requires that we provide a private key (for RS256 tokens) to create a signer which we don't own since it is a 3rd party that generates the tokens.