I understand the difference between symmetric and asymmetric keys. I understand that the keys are used to calculate the signature and then verify them. However diving a little deeper, I'd like to understand a bit more which I'm having trouble finding online.
Are the keys given to the consumers to verify the contents? Wouldn't that give consumers the ability to change the JWT contents if symmetric keys are used?
When asymmetric keys are used is the signature calculated with the private or public key? Is the consumer given the public/private key?
Thanks
Symmetric keys are only to be used in a peer-to-peer way so it would be pointless for the receiver to modify JWTs for which only he and the sender have a shared key (and he is the intended recipient).
Asymmetric key signatures (in JWTs as well as in general) are produced by the sender with the private key and verified by the receiver with the public key. The consumer/receiver is given only the public key which happens out_of_band (i.e. through another means of communication than the one you use to exchange the secured data).
With asymmetric JWTs(JWS) that are signed with a Private Key of the Sender, the Receiver of the Token is basically receiving the Payload(header/claims) that are in clear text other the being base64 encoded. This is why they need to be transmitted in a Secured Socket Layer(SSL) environment. To Validate the Received Signature, the Public Key is used by the Receiver to recompute the Signature of the received Payload. If the two Signatures, the Received Signature and the Computed Signature, don't match, then the Payload cant be trusted-- it is Invalid Therefore, such an Asymmetric JWS would not be a good method to include a sensitive "claim" such as a Social Security Number because the content of the Payload is not encrypted. The include such sensitive data in a JWT the Json Web Token Encrypted JWE could be employed. In the JWE the entire Payload is encrypted.
No one will encrypt the payload of a JWT. It's all about the signature! RSA or ECDSA (both asymetric) signatures can be verified just with a puiblic key, for symetric signed signatures you'll need an auth-service.
Most Common JWT Signing Algorithms:
HMAC + SHA256
RSASSA-PKCS1-v1_5 + SHA256
ECDSA + P-256 + SHA256
来源:https://stackoverflow.com/questions/32900998/jwt-keys-asymmetric-and-symmetric