Why do I not need a private key to decode my amazon JWT?
Question
I've been reading that when using Amazon Cognito for verification and for JWT tokens, all I need to decode the signature is the public key. However, if that's true, I would think that makes it less secure since someone could change their jwt and then alter the signature, and my decoding on the API side would not know the difference since I do not know the private key, and the public key is, well, public, and can be used to generate a signature.
Can anyone help clarify this?
1 answers
solution1
0 2021-12-07 09:39:16
Due to the use of Asymmetric encryption (with private/public key pairs), no-one can modify the token and add a signature to it that is accepted by someone using the public key of the original sender.
The content inside a token is public and be access by anyone who has it, that is why you should not store GDPR sensitive data inside it. But still, no-one can generate new tokens without a copy of the private key.
It can also be wise to do regular key-rotation, where you on a regular basis replace the private key with a new one.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.