confused on validation of token on auth0 JWT java library

Question

I read public/private key is so you can

create JWT token with private / public key
hand out your public key only to 3rd parties
3rd parties can now validate users JWT tokens via the public key

However, their example with private / public key requires the private key to validate which seems odd ->

String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
RSAPublicKey publicKey = //Get the key instance
RSAPrivateKey privateKey = //Get the key instance
try {
    Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
    JWTVerifier verifier = JWT.require(algorithm)
        .withIssuer("auth0")
        .build(); //Reusable verifier instance
    DecodedJWT jwt = verifier.verify(token);
} catch (JWTVerificationException exception){
    //Invalid signature/claims
}

Is there no way to validate with just the public key?

this might help you: https://stackoverflow.com/questions/47119043/verifying-auth0-jwt-throws-invalid-algorigthm/71564958#71564958 — Akber Iqbal, Mar 21 '22 at 22:43

score 0 · Answer 1 · answered Apr 25 '22 at 15:31

0

On this line:

Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);

pass the privateKey as null. Private keys are for signing.

Algorithm algorithm = Algorithm.RSA256(publicKey, null);

answered Apr 25 '22 at 15:31

depth13

23
1
2
5

confused on validation of token on auth0 JWT java library

1 Answers1