New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private key should not be required to verify JWT #291
Comments
We added a clarification for that right in the section above which explains the usage of the
What is your suggestion? |
My sincere apologies. I did not read the section of the documentation that already clarifies this. |
Sorry for resurrecting, should I create another issue?
That clarification is quite far away from the code sample 😬 I can do a PR but I wonder if there is any scenario where the |
There was an auth0#554 referring to unclarity of private keys usage. Also there was a general hint referred in some comments auth0#291 (comment) auth0#324 (comment) auth0#253 (comment) and community post https://community.auth0.com/t/rsa256-jwks-jwt-validation-using-auth0s-java-jwt-and-jwks-rsa-java/13149 All this was removed in auth0@d0ebc3f This PR gets back those as it's still might be unclear.
As per the following code sample in the documentation in the readme https://github.com/auth0/java-jwt/tree/b4c1eca4c68d68a343428c8bef4ce90774a4e29d#verify-a-token both private and public key is needed to verify a JWT's signature. This seems incorrect as when using RSA256 algorithm, there should be no need for the private key to verify the JWT.
This alternate java library: https://github.com/jwtk/jjwt#reading-a-jws shows how the JWT is verified without secret key. Additionally, the Auth0 JWT node.js lib https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback also doesn't need private key when using RSA256.
The text was updated successfully, but these errors were encountered: