This is fantastic, great work! The combination of hashing plus encryption makes for a lot of confusion for folks getting started down this road, regardless of dev experience.
One thing to note on the algorithm in the header ... I would recommend including that in the configuration of the app that is doing the validation. So instead of asking the token “how should I verify your signature?” the application checks that the header matches the signature type it is expecting, rejects the token if it’s different, then uses the key it has to verify.
This is fantastic, great work! The combination of hashing plus encryption makes for a lot of confusion for folks getting started down this road, regardless of dev experience.
One thing to note on the algorithm in the header ... I would recommend including that in the configuration of the app that is doing the validation. So instead of asking the token “how should I verify your signature?” the application checks that the header matches the signature type it is expecting, rejects the token if it’s different, then uses the key it has to verify.
Great note, thanks Josh! I will update the article to reflect this. And that's generally done by the SDK / library you'd be using to validate, yes?
Generally, yes. You should be able to tell that library “hey, I only want to validate RS256 tokens” and the library should reject everything else.