Why not have the public key in JWT payload for convenience

孤街浪徒 提交于 2021-02-10 04:57:06

问题


As I understand it: to check the validity of a JWT created using an asymmetric public/private key encryption algorithm, you require the public key along with the JWT header, claim (aka payload) and signature. The JWT header and claim can be decoded freely but can't be verified without the public key to validate the signature with (which is based on the header & claim and created with the private key).

My question is, why not just bundle the public key into the claim payload of the token. That way anyone can check the validity of the token without necessarily needing to dig up the public key from a database or file store?


回答1:


How would you know that the public key delivered with JWT is authentic? For all you know, an attacker may have generated a key pair, signed the payload with the private key and included data, signature and public key in the JWT. This "thing" that you have now doesn't prove anything.



来源:https://stackoverflow.com/questions/38955830/why-not-have-the-public-key-in-jwt-payload-for-convenience

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!