I’m near certain a hundred different versions of this question must have been asked by now, but I want to explain my scenario specifically because security is easy to mess up.
In my case, my site’s server is providing an endpoint from which a client can request an access token, which is really a JWT. The client provides their username and password and the server looks to see if their account is valid and if so provides a JWT that is signed using the server’s private key. The JWT also contains a claim for what “tier” of access they have (i.e., standard, premium, or admin).
What I want to do is be able to validate that the provided JWT is the one provided by the server. Specifically, I want to do this because I intend to save the JWT in local storage in the browser to avoid the authentication process again, and when I read the JWT from local storage, I want to validate that it’s not been tampered with as it contains claims that will change the site behavior client-side.
To allow for this validation, I was going to provide an endpoint on the server that returns the PEM-encoded public certificate of the site. The client could then request this and load the public key to validate the JWT.
So my question is: Is this a proper way to do this? Is it leaving the possibility for a malicious user to circumvent the JWT validation in some way?