Validate JWT RSA256 signature

jwtk / jjwt

Java JWT: JSON Web Token for Java and Android

Apache License 2.0

10.2k stars 1.32k forks source link

Validate JWT RSA256 signature #358

Closed fourteenminusone closed 6 years ago

fourteenminusone commented 6 years ago

Hi,

I have a JWT signed with a RSA256 algorithm. What about to validate a JWT like this one? Do I have to use the same statement as the README.md reports, using the public key got from the public certificate used to sign the JWT?

try {

    Jwts.parser().setSigningKey(public_key).parseClaimsJws(jwt);

    //OK, we can trust this JWT

} catch (SignatureException e) {

    //don't trust the JWT!
}

Thank you!

lhazlewood commented 6 years ago

Just a friendly reminder: JJWT's GitHub issues are for actionable work that requires changes to the JJWT codebase. Please use StackOverflow with the #jjwt tag for usability/help questions. Thanks!

As to your question:

Yes, you should verify a signed JWT (aka 'JWS') with the public key, and your code example looks good.

Only the private key should be used to create a JWS, but the public key can be used to verify it.