How can JWT be verified outside the authorization server

扶醉桌前 提交于 2021-02-08 08:15:13

问题


Recently, I'm trying to implement an OAuth2.0 server using JSON Web Token (JWT) as access token. I'm very confused about the self-contained feature of JWT. I notice that JWT can be verified anywhere, not mandatorily in authorization server because it is self-contained. How does this feature work? What claims should be included in JWT in order to realize self-contained feature?

Another question is that, if JWT is stateless, it means the server should not store the JWT. Then how is the JWT verified? Can't it be easily forged?

I'm the rookie in this field, I wish someone could help me out:)


回答1:


JWT contains claims that can be signed, encrypted or both. These operations are performed using cryptographic keys. Keys can be symmetric (e.g. octet keys) are Asymmetric (e.g. private/public key pairs such as RSA or EC keys).

When you want to verify a JWT (i.e. a JWS), you have to perform the following steps:

  • Check the header (algorithm is supported, critical claims are in the payload and their value are understood).
  • Check the claims (especially exp, iat, nbf, aud).
  • Check the signature.

To check the signature, you need the key and, depending on the algorithm, this key can be

  • The symmetric key
  • The public key if asymmetric

When you want to allow third party applications to verify your JWT, you will use asymmetric keys and share the public key with the third parties. As public keys cannot be used to sign, third parties cannot forge a valid token with custom claims.

The way you share the keys is up to you. The common way is to provide an URL where applications will retrieve them (e.g. Google keys at https://www.googleapis.com/oauth2/v3/certs).



来源:https://stackoverflow.com/questions/39637560/how-can-jwt-be-verified-outside-the-authorization-server

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!