Great article, really fantastic. But I just have a small doubt. I don't think we can decrypt the signature obtained in JWT using the public key provided by the authentication server.
The purpose of the public key is indeed to decrypt the signature so that the client can validate the token by comparing the hashes. The private key is used by the authorization server to sign tokens.
This is a very old response now, but for others who hit this page - there is a confusion of terms here. The content isn't encrypted, but rather cryptographically signed. mritunjay is correct that you cannot decrypt with a public key, but you can verify a cryptographic signature with a public key.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great article, really fantastic. But I just have a small doubt. I don't think we can decrypt the signature obtained in JWT using the public key provided by the authentication server.
Please let me know if I am wrong.
The purpose of the public key is indeed to decrypt the signature so that the client can validate the token by comparing the hashes. The private key is used by the authorization server to sign tokens.
This is a very old response now, but for others who hit this page - there is a confusion of terms here. The content isn't encrypted, but rather cryptographically signed. mritunjay is correct that you cannot decrypt with a public key, but you can verify a cryptographic signature with a public key.