Login/Register
Where does jwt.io get the public key from JWT token?
Asked Answered
Solved jwtpublic-keyjwkjwt.io
P

2

26

I was decoding a JWT token via jwt.io (in the Debugger section) to see Headers, Payload. Surprisingly, it also verified, and I could see it (jwt.io debugger) is able to retrieve the public key as well.

So my question is: Does JWT token provide the public key as well as part of the JWT token?

I am pasting part of it (can't paste full due to security reasons, will be truncating part of the actual JWT token)

F3cy5jb21cL2V1LXdlc3QtMV9ZckVRYjY5Z1giLCJleHAiOjE2MDE2Mzg4OTMsImlhdCI6MTYwMTYzNTI5MywidmVyc2lvbiI6MiwianRpIjoiNmI2YmZiNmYtY2M0MS00N2Q5LWI0YzYtOTBmOGFmNWM2MjQ1IiwiY2xpZW50X2lkIjoiMTM0MWxxa3N1ZmUwbm1vaW9kdnRjc2t2cWIifQ.RtKfz54uBgSZ1gc4KRPjzL4dPe5AbH2YMJu-DDvIxBzgMjqT9q4ApGzcWYB62-MgDUf-F_hK0kF9eIwAi9fARhp 0HGGnyiuydW_our6zE3EphLvXQByTDY5xzOUuSvt7WbDZWeSfpHcjrBttRSJAPOsZ2gInafKjZgWKyGL4vJB9swEhOMSSpTQDGWKenJCyp4emhe8E4XGzYTo9WEb-Wqg6sI__LrusDNd917FaocPKBxA

Decoded messages (again truncated)

Headers

{
  "kid": "cJ0PzkBXPyjX7FM67jcOECIY=",
  "alg": "RS256"
}

Payload:

{
  "sub": "13lqs0moiodvtcskvqb",  
  "token_use": "access",  
  "scope": "example.com/Manage",  
  "auth_time": 1601293,  
  "iss": "https://cognito.eu.amazonaws.com/",  
  "exp": 1601638,  
  "iat": 10353,  
  "version": 2,  
  "jti": "cc1-47d9-b6-5c6245",  
  "client_id": "nmodvtcb"  
}

In there, can see the Public key (truncated)


-----BEGIN PUBLIC KEY-----
QEFAAOCAQ8AMIIBCxmf9bakWk
556KYmIZB+Sy1ftkkGa4qlUsmRvcG2Hll+7HBWp1ao6MVLskjdaaKg8iH1Iz4DKG
lgqT/ndwhoxvTBuvm0X2CZoNzZn4S8wDTr78m/S/YegZRhv6y58gkiKSEmbbC/g5
Bp+AF88NwBvLm1jdd
-----END PUBLIC KEY-----

Where from the debugger in jwt.io is retrieving the public key? I am not able to understand this.

Phenacite answered 10/10, 2020 at 19:8 Comment(2)
I don't think you need a key to decode JWT token. They all follow industry standard RFC 7519 and can be decoded by anyone. Since you don't pass anything sensitive in the token, it's not a risk (unless you let it get stolen by someone who knows how to use it to login into your account). There are many decoders out there that can do the same thing jwt-decode, jwt-auth, etc.Farmyard
the key is of course not used to decode the token, but to verify the signature. The token itself is only base64url encoded.Billionaire
B
18

The token contains the issuer (iss) of the token and the key id (kid), which identifies the public key that is needed to verify the signature With this information, jwt.io can find the public key in form of a JWK (JSON Web Key) on a JWKS endpoint (/.well-known/jwks.json), to verify the token. A JWKS (JSON Web Key Set) contains an array of JWKs, the link shows an example.

According to the cognito documentation, this mechanism is used, when you use the Amazon user pool to authenticate your users.

Providing keys via a jwks endpoint is a standard mechanism which is also used by other providers, e.g. Microsoft Azure.

Billionaire answered 10/10, 2020 at 19:21 Comment(1)
So if I understood you correctly, it's from "kid" and "iss", it will fetch the public key to verify the signature of the JWT token? Is this mandatory for Cognito to provide these details in the token? Can you elaborate a little more, if possible?Phenacite
G
20

I've been trying to understand that myself too. If you open developer tools and see requests made by jwt.io when you paste the token in the debugger page you'll see it makes additional requests.

In my token the iss was:

"iss": "http://localhost:8080/auth/realms/myrealm"

hence jwt.io added the standard path /.well-known/openid-configuration and made XHR request to

http://localhost:8080/auth/realms/myrealm/.well-known/openid-configuration

Where it found a lot of information in json and among them there was jwks_uri

{
...
"jwks_uri": "http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/certs",
...
}

And then there was another XHR request to the above url and response was jwks. Having that public key the jwt.io could verify the token. At least that's what I think happens.

Grazia answered 28/10, 2020 at 11:30 Comment(1)
HAHAHA . Yes this is what excactly happened. +1 for thisValance
B
18

The token contains the issuer (iss) of the token and the key id (kid), which identifies the public key that is needed to verify the signature With this information, jwt.io can find the public key in form of a JWK (JSON Web Key) on a JWKS endpoint (/.well-known/jwks.json), to verify the token. A JWKS (JSON Web Key Set) contains an array of JWKs, the link shows an example.

According to the cognito documentation, this mechanism is used, when you use the Amazon user pool to authenticate your users.

Providing keys via a jwks endpoint is a standard mechanism which is also used by other providers, e.g. Microsoft Azure.

Billionaire answered 10/10, 2020 at 19:21 Comment(1)
So if I understood you correctly, it's from "kid" and "iss", it will fetch the public key to verify the signature of the JWT token? Is this mandatory for Cognito to provide these details in the token? Can you elaborate a little more, if possible?Phenacite

© 2022 - 2024 — McMap. All rights reserved.