10

So, right now I'm building an API for third parties uses and I was reading about RS256 and HS256. What I understood was that diff between is that in the first one you use a public key to verify and a private key to sign, and the other one, use just one key.. So if you use RS256 if because you want to keep your secret key secure and want the client to verify the token, but what I don't understand why you would like to verify the token in the client? Because you do a post request to the server, then it sends you back a token and whenever you want to make an authorized request you just use that token and the server verifies it and let you continue if its ok. So, why you would like to verify the token in the client? I thought it was a backend's duty.

I think maybe I'm wrong in something, hope you help clear this. Thanks.

EDIT:

So, my question is, I know the differences between RS256 and HS256 but what I don't understand it's the flow of how is use it. Right now I'm developing a third party api, and I just need to return a token when the client ask for it and then in the request that needs it, just verify from the server if it's a valid token. From what I understand, RS256 it's used when you want to verify your token from the client, if that's right, someone can give me an example of when or why would you want to verify the token in the client?

pedrofb
  • 37,271
  • 5
  • 94
  • 142
Leonardo Emilio Dominguez
  • 4,275
  • 3
  • 21
  • 25
  • Your sentence "So what I don't understand why you would like to verify the token in the client?" does not male any sense because it has no relation to what you said before. Edit your question and make it clearer what you want to do and what your question is. – Robert Mar 29 '18 at 18:34
  • @Robert I edited, hope you can understand now. – Leonardo Emilio Dominguez Mar 29 '18 at 18:41
  • Possible duplicate of [RS256 vs HS256: What's the difference?](https://stackoverflow.com/questions/39239051/rs256-vs-hs256-whats-the-difference) – Matt Morgan Mar 29 '18 at 18:47

1 Answers1

27

Use RS256 when:

  • tokens are signed by a third party, usually an Identity Provider(e.g. oauth2/oidc), and you need to verify that the token has been issued by a trusted entity

  • tokens are signed by clients, usually to get access to an API, where clients have previously registered the public key

  • tokens are signed by a centralized authentication server in a SingleSignOn system and they are used to get access to several federated servers

  • tokens are used to transfer data between two parties, not neccesarily for authentication purposes, and the signature is used to ensure the identity of the signatory

Use HS256 when:

  • tokens are signed and validated by the same server
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • So regarding the tokens signed by clients, that's what 3rd apis like facebook, stripe and others do? They give you a public and a secret, so you can generate the token in your server to get access to an API instead of asking to their server for that access? – Leonardo Emilio Dominguez Mar 29 '18 at 19:16
  • 1
    I do not know how exactly those api work, but when you use asymmetric keys, you generate the key pair, private and public, in your device, the private key is stored locally, and the public key is sent to server during registration process. The third-partyserver does not send the keys to you. To authenticate, you generate a token and sign it using the private key – pedrofb Mar 29 '18 at 20:06