- changed status to resolved
Public/Private Keys
Issue #233
resolved
I'm not sure if my use case is specific or not but they way that public and private keys are used seems the wrong way round.
We're trying to implement SSO across many sites, but to validate a JWE token we have to decrypt it using the private key, which means each of the sites has to have the private key available. The RSAprivate key has the RSApublic key embedded in it in Java which means that all the sites except the the one doing the token generating one has to have the private key.
Should the token not be encrypted with the private key and decrypted by the public one, then the private key is only in one place? or is there another pattern I'm missing?
Comments (1)
-
- Log in to comment
If the token needs to have the properties "non-repudiation" and "authenticity" it must be signed:
https://connect2id.com/products/nimbus-jose-jwt/algorithm-selection-guide
If the token content must also be kept confidential between SSO provider and relying parties, encrypt it with a shared key, or with a public belonging to the intended relying party.
The approach that you described has a problem: anyone who has the public key can encrypt a token with it it; there's no way to know where the token originates from. This can only be achieved with a digital signature.
BTW, there are ways to derive the public key parameters from a private key: https://stackoverflow.com/questions/11345346/how-to-get-a-rsa-publickey-by-giving-a-privatekey#11348454