How is JWT.io able to validate signatures

elias.nithin · December 2, 2023, 9:15am

How is JWT.io able to validate signatures automatically for id & access tokens signed using RS256 . I am not providing the public keys but i wonder how they are able to verify the signature ?

thameera · December 3, 2023, 11:58pm

Hey @elias.nithin , JWT.io figures out the JWKS endpoint of the Identity Provider that issued the token, which will include the X.509 certificate that can be used to validate the signature.

The rough algorithm for this would be:

Find the iss property of the JWT payload, which usually indicates the issuer’s URL.
Read the openid-configuration JSON of issuer by appending /.well-known/openid-configuration. For example, if the issuer is https://example.auth0.com/, the URL to look would be https://example.auth0.com/.well-known/openid-configuration.
Find the jwks_uri from the above configuration and read the JWKS info info by visiting that URL. Example: https://example.auth0.com/.well-known/jwks.json.
This JWKS endpoint can have multiple certificates. The right cert can be inferred by looking at the kid (“key ID”) attribute in JWT’s header and matching that with the kid in the jwks.json file.
Use the x5c attribute, which is the signing certificate, to validate the JWT’s signature.

This depends on the issuer to be set to the domain of the IdP, and for the /.well-known/openid-configuration URL to be available (almost all standard OIDC IdPs host it in that location).

c45371064 · December 26, 2023, 4:17am

What is the payload
Change.org Petition enact-term-limits-for-service-in-the-congress-of-the-united-states-of-america

system · January 9, 2024, 4:17am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.