Update 15th March 2017: Given recent criticism of the JWT and JOSE specifications, I've written some notes on should you use JWT/JOSE?.
JSON Web T...
For further actions, you may consider blocking this person and/or reporting abuse
Can you elaborate on this comment, "However, a public key encryption scheme such as RSA would be wholly inappropriate in this case, as anybody with the public key can then create a valid session token."
I am confused how the situation you describe can come about. Specifically due to the multitude of implementations described using RSA and public/private key pairs.
Box using a JSON Web Token (JWT) signed with an RSA key.
Signing a JWT with RSA SHA-256
Is your comment specific in calling out the public key as the encryption mechanism?
The issue is with just using RSA encryption without signing/hmac. Encryption is done using the public key, which means anyone with that public key could then create a valid token.
Thank you for the clarification!
Awesome, really great information thanks for putting it up all together.