Hello,
I have a backend application in go and I am using jwt authentication method for my api’s.
I have two questions:
- Which one the best algorithm for
secure an api HS256 or RS256
- I have created an api using the RS256 algorithm method. When I decode the token string in the Debugger then it decode all the values including the signature then how it is secure?
Also When I decode the token It given the invalid signature error although all the decoded values match with my original values.
You might want to go through the following links for information on both the algorithms, comparison between the two and the best security practices:
In addition to the documentation pointed in the other answer, you mentioned the use of Go and a problem validating the token. There as an issue with a Go library for JWT that would validate that the audience of the token was exactly the same as the one configured which could be a problem in some situation where multiple audiences were present. You can find more information here.
Another thing to have in mind is that a signed JWT can be represented as multiple base64url-encoded parts separated by a dot character and decoding the base64url data does not by itself guarantee any sort of assurance. In particular, if you need to ensure the token comes from a trusted party you’ll need to validate the signature and not just decode the base64url data.
You might want to go through the following links for information on both the algorithms, comparison between the two and the best security practices:
Thanks you for your answer!!
Thank you for your reply on my question.