Discussion on: Authorization and Authentication For Everyone

harkinj profile image

Great article.
2 small questions :
'The client application then decodes the ID token (which is a JWT) and verifies it. This includes validating the signature ' - to do this must the client app have the public key of the issuer installed? Does the client also need to communicate/interface with the auth server at the point of verification/validation?
Thanks for your time.

kimmaida profile image
Kim Maida Author

Hello, thanks for your questions!

1) Yes, the client app must have access to the decryption key in order to validate the signature; otherwise, it won't be able to decrypt the signature to see its contents. If asymmetric key cryptography is being used, then it will be a public key; if symmetric, there is only one key, and that same key must be kept private on both the client and authorization server (not recommended).

2) No, the client does not need to communicate with the auth server during validation. It should already have the key, and everything else it needs to perform validation is contained within the JWT itself.

It's strongly recommended that you not implement validation manually, but rather, that you use an SDK or library. If you'd like to learn a lot more about this, I also wrote Signing and Validating JSON Web Tokens (JWT) for Everyone.