Hello, all. I have an application stack that has some Java services and some Python services. If a user initiates a request, and then a token is created (RSA-384) in a Java service, it may make its way to a Python service on another machine. Both machines have certificates from the same issuer, but the Python service on another machine does not have access to the public key of the Java server where the JWT was created. In this case, is there any way that I can verify the signature? Is it possible to verify by using the issuer?
Note that we do not have a server (like keycloak) that handles the issuing of tokens at this time. We will move toward a more standard authentication architecture, but we are a research project for an organization, and we are trying to get this up and running quickly.
On an enclave, we have a certificate authority that issues certificates. Let’s say that we have Server A and Server B that both have SSL certs from that same CA (issuer). I generate a token on Server A, and sign it with Server A’s SSL private key, and pass it with a request to Server B. If Server B does not have access to Server A’s public cert, can Server B still verify the JWT from Server A?
Note that I have gotten around this in another way, but I would still like to know if this is possible.