Private key should not be required to verify JWT #291

anuragkapur · 2018-10-21T17:25:03Z

As per the following code sample in the documentation in the readme https://github.com/auth0/java-jwt/tree/b4c1eca4c68d68a343428c8bef4ce90774a4e29d#verify-a-token both private and public key is needed to verify a JWT's signature. This seems incorrect as when using RSA256 algorithm, there should be no need for the private key to verify the JWT.

String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
RSAPublicKey publicKey = //Get the key instance
RSAPrivateKey privateKey = //Get the key instance
try {
    Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
    JWTVerifier verifier = JWT.require(algorithm)
        .withIssuer("auth0")
        .build(); //Reusable verifier instance
    DecodedJWT jwt = verifier.verify(token);
} catch (JWTVerificationException exception){
    //Invalid signature/claims
}

This alternate java library: https://github.com/jwtk/jjwt#reading-a-jws shows how the JWT is verified without secret key. Additionally, the Auth0 JWT node.js lib https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback also doesn't need private key when using RSA256.

The text was updated successfully, but these errors were encountered:

lbalmaceda · 2018-10-22T16:46:17Z

We added a clarification for that right in the section above which explains the usage of the Algorithm class (used both for signing and verifying tokens). https://github.com/auth0/java-jwt/tree/b4c1eca4c68d68a343428c8bef4ce90774a4e29d#pick-the-algorithm

When using RSA or ECDSA algorithms and you just need to sign JWTs you can avoid specifying a Public Key by passing a null value. The same can be done with the Private Key when you just need to verify JWTs.

What is your suggestion?

anuragkapur · 2018-10-22T17:25:24Z

My sincere apologies. I did not read the section of the documentation that already clarifies this.

hoto · 2020-10-05T12:27:37Z

Sorry for resurrecting, should I create another issue?

We added a clarification for that right in the section above which explains the usage of the Algorithm class

That clarification is quite far away from the code sample 😬

I can do a PR but I wonder if there is any scenario where the RSAPrivateKey would NOT be null when verifying the token?
I wonder if the readme could be updated to pass RSAPrivateKey as null or put another short explanation in the comment?

petrdvorak · 2022-03-17T20:30:03Z

@hoto Best... visualization... ever... 😄 I opened #555 to address this, the docs also stroke me visually and no, there is no situation when private key is required during the JWT verification.

There was an auth0#554 referring to unclarity of private keys usage. Also there was a general hint referred in some comments auth0#291 (comment) auth0#324 (comment) auth0#253 (comment) and community post https://community.auth0.com/t/rsa256-jwks-jwt-validation-using-auth0s-java-jwt-and-jwks-rsa-java/13149 All this was removed in auth0@d0ebc3f This PR gets back those as it's still might be unclear.

anuragkapur closed this as completed Oct 22, 2018

BaurzhanSakhariev mentioned this issue Feb 12, 2024

Get back clarification about public and private key usage #683

Closed

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Private key should not be required to verify JWT #291

Private key should not be required to verify JWT #291

anuragkapur commented Oct 21, 2018

lbalmaceda commented Oct 22, 2018

anuragkapur commented Oct 22, 2018

hoto commented Oct 5, 2020

petrdvorak commented Mar 17, 2022

Private key should not be required to verify JWT #291

Private key should not be required to verify JWT #291

Comments

anuragkapur commented Oct 21, 2018

lbalmaceda commented Oct 22, 2018

anuragkapur commented Oct 22, 2018

hoto commented Oct 5, 2020

petrdvorak commented Mar 17, 2022