It is true that you can use asymmetric crypto for JWT, although I did not mention because I will cover asymmetric cryptography in the next post. As far as I know it is not used as much, and for the authentication problem I don't see any advantages.
In asymmetric cryptography there is a private key and a public key. For encryption you would encrypt a message with the public key, and then decrypt it with the private key. Signing is the reverse, you encrypt it with the private key, and then it can be verified with the public key. So when using an asymmetric algorithm for signing in JWT, since the public key is public, anybody can verify a token, but only the one with the private key can sign it. With HMAC, to verify a token you need the secret key, and it can not be public, so only the creator can verify it. That's the main advantage of asymmetric cryptography in JWT, if it is a property that you want. I guess also an advantage is that if you want to minimize the amount of keys you need to protect, and you already have an asymmetric key-pair (you have an ssl certificate for example), you can reuse it for JWT.
Thanks for the comment!
It is true that you can use asymmetric crypto for JWT, although I did not mention because I will cover asymmetric cryptography in the next post. As far as I know it is not used as much, and for the authentication problem I don't see any advantages.
In asymmetric cryptography there is a private key and a public key. For encryption you would encrypt a message with the public key, and then decrypt it with the private key. Signing is the reverse, you encrypt it with the private key, and then it can be verified with the public key. So when using an asymmetric algorithm for signing in JWT, since the public key is public, anybody can verify a token, but only the one with the private key can sign it. With HMAC, to verify a token you need the secret key, and it can not be public, so only the creator can verify it. That's the main advantage of asymmetric cryptography in JWT, if it is a property that you want. I guess also an advantage is that if you want to minimize the amount of keys you need to protect, and you already have an asymmetric key-pair (you have an ssl certificate for example), you can reuse it for JWT.
Thanks for such an informative answer!
Maybe the public and private keys approach would be useful when adopting a Microservices architecture, where each service would hold the public key.
Looking forward to your next article!