You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A web application calling this web service needs to know the same secret as the web service to verify the signature of the JWT token.
We should switch from HS256 JWT algorithm to RS256. RS256 has private/public key pair so the web service creating the tokens needs the private key and the web service that wants to verify the token only needs the public key.
A web application calling this web service needs to know the same secret as the web service to verify the signature of the JWT token.
We should switch from HS256 JWT algorithm to RS256. RS256 has private/public key pair so the web service creating the tokens needs the private key and the web service that wants to verify the token only needs the public key.
See https://fastapi-users.github.io/fastapi-users/10.4/configuration/authentication/strategies/jwt/?h=rs256#rs256-example
The public key could be made available to consumer via a JSON Web Key Set at
GET /.well-known/jwks.jsonroute.If #54 is fixed then this web service would only need to verify tokens. The user management service should create tokens.
The text was updated successfully, but these errors were encountered: