JWT - Using Public Key to Verify User Data

Updated 9 months ago by Jeff Mitchell

JWT

When authentication flows complete using AE Connect, the returned user object contains a JWT property.

As an additional security measure this property and your AE Connect public key can be used to verify that the source of the data originated from your instance of AE.

example output format with jwt:

Public Key

AE Connect provides a public key that can be used verify data provided by AE. For example to verify the signature on a JWT provided in the user object after authentication.

example public key:

Verifying JWT with Public Key

Depending on the language used various libraries are available to decode, verify and generate JWT. See https://jwt.io/ for examples.

The JWT is signed by AE using a private key.

You will need the JWT and the public key provided by AE Connect. Generally, you will then pass those values to provided methods by your chosen library that will verify that the JWT has been signed properly.

sample php code:

// see: https://github.com/Spomky-Labs/jose

require_once __DIR__
.'/vendor/autoload.php';

use Jose\Checker\ExpirationChecker;
use Jose\Checker\IssuedAtChecker;
use Jose\Checker\NotBeforeChecker;
use Jose\Factory\KeyFactory;
use Jose\Factory\LoaderFactory;
use Jose\Factory\VerifierFactory;
use Jose\Object\JWKSet;
use Jose\Object\JWSInterface;

// We create a JWT loader.
$loader
= LoaderFactory::createLoader();

// We load the input
$jwt
= $loader->load($input);

if (!$jws instanceof JWSInterface) {
die('Not a JWS');}

// Please note that at this moment the signature and the claims are not verified

// To verify a JWS, we need a JWKSet that contains public keys (from RSA key in your case).// We create our key object (JWK) using a RSA public key
$jwk
= KeyFactory::createFromPEM('----- PUBLIC KEY FROM AE CONNECT -----');

// Then we set this key in a keyset (JWKSet object)// Be careful, the JWKSet object is immutable. When you add a key, you get a new JWKSet object.
$jwkset
= new JWKSet();
$jwkset
= $jwkset->addKey($jwk);


// We create our verifier object with a list of authorized signature algorithms (only 'RS512' in this example)// We add some checkers. These checkers will verify claims or headers.
$verifier
= VerifierFactory::createVerifier(
['RS512'],
[
new IssuedAtChecker(),
new NotBeforeChecker(),
new ExpirationChecker(),
]);

$is_valid
= $verifier->verify($jws, $jwkset);

// The variable $is_valid contains a boolean that indicates the signature is valid or not.// If a claim is not verified (e.g. the JWT expired), an exception is thrown.

//Now you can use the $jws object to retreive all claims or header key/value pairs


How did we do?