When to use RS256 for JWT?

后端 未结 1 603
萌比男神i
萌比男神i 2021-01-12 19:16

So, right now I\'m building an API for third parties uses and I was reading about RS256 and HS256. What I understood was that diff between is that in the first one you use a

1条回答
  •  慢半拍i
    慢半拍i (楼主)
    2021-01-12 20:10

    Use RS256 when:

    • tokens are signed by a third party, usually an Identity Provider(e.g. oauth2/oidc), and you need to verify that the token has been issued by a trusted entity

    • tokens are signed by clients, usually to get access to an API, where clients have previously registered the public key

    • tokens are signed by a centralized authentication server in a SingleSignOn system and they are used to get access to several federated servers

    • tokens are used to transfer data between two parties, not neccesarily for authentication purposes, and the signature is used to ensure the identity of the signatory

    Use HS256 when:

    • tokens are signed and validated by the same server

    0 讨论(0)
自定义标题
段落格式
字体
字号
代码语言
提交回复
热议问题