JWT is a well know open standard to share information among several services in a secure way. Information are signed with some signing key, so information in the payload are protected against tampering.
Most of samples are based on HS256 encryption scheme. With this encryption scheme two service the want to share some token, must share a secret key, for generate and validate token. This option is useful if you want share token between different service of your application. But if you want share information with application from third party or more? You need to share a secret password with every service, a nightmare of (password,service) to remember. But there is a simple solution: RSA private/public key. With RSA encryption, keys came in couple, if you sign with private key, the verification can be done with the public key, or the other way round. In JWT this means that after generating the couple (private key,public key), the private key must be stored in a safe place and can be used to generate every token. The public key can be made public available and used to verify JWT toke integrity.
Following this sample, i have extended the library to use RS256 signing scheme. The library is complete:
- generation of (private key,public key), the private key is stored in a encrypted file with BlowFish cipher. Public key is stored in XML format and PEM format;
- Generation of JWT token with username and userid identifier;
- verification of token end claims extraction from JWT token;
The source code for the library is here, is based on Microsoft JWT implementation fo .Net and Net Core.
For an introduction on JWT with Python see here.