• caglararli@hotmail.com
  • 05386281520

Validating iss and aud for internally signed JWT

Çağlar Arlı      -    36 Views

Validating iss and aud for internally signed JWT

I have an identity service that issues JWTs that are signed with private key.

I have several resource services that consume that token to determine the claims of the user and thereby to determine the authorization scope. Naturally, the resource service also has access to the public key counterpart that can be used for signature validation.

Note that both identity and resource services are developed and managed by me. Consider that the resource service does not call any other external service with the token, and just use the token to derive the authorization scope.

As the header, and payload of JWT can easily be decoded, anyone with the access to the private key can create a token with the intended aud, and iss. In this scenario, does validation of aud, and iss brings anything additional from security perspective, though every other token validation best practices say to validate aud, and iss? Considering the private key is securely stored, isn't it enough to validate the signature of JWT alone (along with the claims of user, but that is not relevant for this discussion) in this scenario?