Auth0 Home Blog Docs

Explanation of the JWT Signature Verification Process


Hi everyone,

As I am quite new in the topics of Auth0, JWT, JWKS, etc., I have spent the better part of the last couple of weeks really trying to sink my teeth into the whole picture. My native language is COBOL and since there seemingly are no resources out there for COBOL developers wanting to verify JWTs, I have been writing my own. I have everything going great up until the point of the actual JWT signature verification. Here is my understanding so far for using RS256 method.

  1. Find a valid JWKS record from the API for my company’s domain.
  2. String together the JWT header + . + payload.
  3. Using SHA-256, hash the above string.
  4. From JWKS, build a certificate using the x5c record from the JWKS. This certificate becomes the public key.

I know there is a difference between signing and encryption and I have seem to found conflicting information on the last steps of this process. Do I use the public key to encrypt the hashed string using the RSA encryption method? Or do I decode the base64url representation of the signature and then decrypt that string using the RSA decryption method?

Like I said, I have not seen any article or information available that really breaks down all the details of the process. And since I am having to write my own routine from scratch (with no help from inherent “verify signature” routines in COBOL), I am trying to ensure that all of this is written correctly.

Any help\guidance would be greatly appreciated!!