Wouldn't it be nice to have an alternative authentication flow between untrusted parties and not have to manage secrets and keys for multiple issuers and multiple audiences? Modern cryptography algorithms such as ES256 provide fast and secure token transmission.
Objectives
* Learn how to secure payloads between two untrusted parties
* Understand JSON Web Tokens
* Understand Authentication Flow between an issuer and an audience
* Understand the importance of the ES256 algorithm
* Understand the role of the JSON Web Keyset in the authentication flow
Scope
This document walks through a process of creating and verifying JsonWebTokens using ES256.
JsonWebTokens help secure communication between two systems, such as browser to server, or server to server. Signing a token allows the receiver to trust the sender or "issuer". You can sign a token with several different algorithms. This process provides a stateless approach to authentication.
HS256 is an algorithm which requires sharing a secret phrase. Both sides must know the secret out of band.
RS256 algorithm requres a rsa private key to sign the JsonWebToken and a public rsa key to verify the JsonWebToken.
We are going to use the ES256 algorithm which requires an ECDSA private key and a public key to verify the JsonWebToken.
ECDSA cryptography is as strong as RSA cryptography yet smaller and faster. For details see: https://tools.ietf.org/html/rfc7518#section-3.4
First, let's generate a keypair. A key pair contains a public and private key. The private key is used to sign the token. By signing the token you are able to prove to the audience that you are the issuer of the token.
> If you remember anything from reading this, remember to keep the private key in a
> secure place. DO NOT SHARE ON VERSION CONTROL. DO NOT STORE IN YOUR SOURCE CODE WHERE IT CAN BE EXPOSED ON THE CLIENT SUCH AS THE WEB BROWSER.
The public key is used to verify the token and can be provided to the public.