Menu
It seems to me that the main advantage of a JWT is that any client can read the claims and verify that you were the one who generated them. However, if you're using a symmetric key to calculate the signature, then the client has to know your signing key to verify the JWT, at which point they could generate whatever claims they wanted. Why would someone choose a symmetric algorithm over an asymmetric one?
One user's answer on a different question says:
Symmetric keys are only to be used in a peer-to-peer way so it would be pointless for the receiver to modify JWTs for which only he and the sender have a shared key
If the communication is peer-to-peer, they must have been using a secure protocol to exchange the key at some point, so what is the use of a JWT in this scenario?
The reason I ask this is because most of the examples I have seen for implementing JWT-based security in ASP.Net use symmetric keys.
559
Tokens do not always have to be verified by the client.
As an example, in a basic Asp.Net application, the server acts as both the authentication server and the authorization server:
In this example, if the client is verifying the server's authenticity through a separate means (such as TLS/SSL) then the client doesn't need to verify the token returned by the server. There's no problem with the server using a symmetric encryption algorithm in this case.
129
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
