JWT Signature Verification Flow (RS256)

-



JWT Signature Verification Flow (RS256)

This document explains how JWT (JSON Web Token) signature verification works using asymmetric encryption (e.g., RS256), where the issuer signs with a private key and the verifier checks it using a public key.


Example Input

JWT Header (before encoding):

{ 
  "alg": "RS256", 
  "typ": "JWT"
}

JWT Payload (before encoding):

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

After Base64URL encoding:

  • Header: lmn

  • Payload: pqr

Signature Generation:

Signature = signWithPrivateKey("lmn.pqr") = x123

Final JWT:

JWT = lmn.pqr.x123


Signature Generation (by Token Issuer — e.g., AWS Cognito)

  1. The issuer (e.g., AWS Cognito) creates a message:

    message = lmn.pqr

  2. The message is signed using the private RSA key and the algorithm specified in the JWT header:

    • RS256 = RSA with SHA-256 hashing.

    • Signature is generated as:

      x123 = signWithPrivateKey(SHA256(message))

  3. The full JWT becomes:

    lmn.pqr.x123

Signature Verification (on the Backend)

When your backend receives the JWT:

  1. Split the JWT into its parts:

    header = lmn
    payload = pqr
    signature = x123

  2. Reconstruct the message to verify:

    message = lmn.pqr

  3. Decode the header to read the algorithm:

    { "alg": "RS256" }

  4. Fetch the public key (from a trusted JWKS endpoint like AWS Cognito):

    • On the first request, fetch the public key.

    • Cache the key to avoid fetching on every request.

  5. Verify the signature:

    • Compute the hash of the message:

      hash1 = SHA256(lmn.pqr)

    • Decrypt the provided signature using the public key:

      hash2 = decryptSignatureWithPublicKey(x123)

  6. Compare the hashes:

    if (hash1 == hash2)
    →  Token is valid
else
    → Token is invalid or tampered

Important Notes

  • The alg field in the JWT header tells the verifier what algorithm to use (e.g., RS256).

  • The issuer signs with a private key, and the receiver verifies using the matching public key.

  • The JWT payload is not encrypted — it is just Base64URL encoded, so its content is readable.

    • Do not store sensitive data in the payload unless encrypted or properly protected.

  • Always validate:

    • Signature

    • Expiration (exp claim)

    • Issuer (iss)

    • Audience (aud)



Comments

Post a Comment

Popular posts from this blog

Database - Topics

-
Image
 Topics  01. Steps in SQL Query Execution 02. How does the database create a query plan 03. How Query Plan Caching Works 04. What is the need for an execution plan? 05. How Do Query/ Query Plan Execute (Inside MySQL Server) 06. Importance Of Undo Log 07. How Row Lock Is Handle When Query On The Table Row 08. Technique to recover the committed changes 09. Auditing technique 10. Query cache 11. DB connection pool 12. What is ACID? 13. Optimizing SQL queries
Read more

02. Spring – Creating spring project clone it with GIT step by step.

-
Image
  Creating spring project clone it with GIT step by step. 01. Create an empty GIT repository and select a repository name. 02.   Check to add README.md and technology to add it inside the gitignire file0- it will include all the generated class when we complete the application. 03.      Copy the github repository URL. 04 . Open eclipse and go to,             Window – Show View – Other - Type git on the folder and select git repositories. 05.   Now clone this repository at your desired location in which we are going to keep the project specific file . a)         a)  Step One.             b)  Step  Two .          c)    Step Three. Both projects are generated as bellows           d) Step Four  Open the gitingnore file and ignore the target folder of the project. All the class files which are ...
Read more

01. Steps in SQL Query Execution (MySQL)

-
Image
Steps in SQL Query Execution (MySQL) 1. Client Sends Query to Server The SQL statement is sent to the MySQL server over a connection (e.g., via JDBC or a query tool like MySQL Workbench). 2. Parser / Syntax Check The parser checks the SQL syntax.If there are any syntax errors, it throws an error immediately. 3. Pre-processor Verifies privileges and permissions for the user executing the query. Resolves object names (like table or column aliases). 4. Query Optimization The optimizer evaluates multiple strategies to execute the query. It considers: Which indexes to use. Join order (for multi-table queries). Whether to use temporary tables. Cost of different execution paths. The optimizer chooses select the most efficient query plan (Cost effective -> memory, CPU etc). 5. Query Execution Plan (Most cost effective query plan) The query plan is a blueprint of how MySQL will fetch the data. You can view this with the EXPLAIN keyword in front of your query. 6. Query Execution The storage e...
Read more