What if a token recipient (in a request chain) does not have access to the public key?

Hello, all. I have an application stack that has some Java services and some Python services. If a user initiates a request, and then a token is created (RSA-384) in a Java service, it may make its way to a Python service on another machine. Both machines have certificates from the same issuer, but the Python service on another machine does not have access to the public key of the Java server where the JWT was created. In this case, is there any way that I can verify the signature? Is it possible to verify by using the issuer?

Note that we do not have a server (like keycloak) that handles the issuing of tokens at this time. We will move toward a more standard authentication architecture, but we are a research project for an organization, and we are trying to get this up and running quickly.

Hi @Steve973

Welcome to the Auth0 Community!

Can you give some example of the following:

and

What certificates and what do you mean verify using the issuer?

Hi, @dan.woda and thank you for replying.

On an enclave, we have a certificate authority that issues certificates. Let’s say that we have Server A and Server B that both have SSL certs from that same CA (issuer). I generate a token on Server A, and sign it with Server A’s SSL private key, and pass it with a request to Server B. If Server B does not have access to Server A’s public cert, can Server B still verify the JWT from Server A?

Note that I have gotten around this in another way, but I would still like to know if this is possible.

1 Like

No, a public key is needed to verify the signature.

If both of your servers are communicating with a central authority, why not make the public keys available from that centralized source?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.