JWT with RSA Key Pair in Node.JS
Introduction ๐น
I wrote this post after exploring JWT with RSA key pair for my office project today and iโm thinking why not i write simple recap here. So quick introduction JSON Web Token or JWT, is an open standard used to share security information between two parties - a client and a server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.
Way to generate token ๐
Basically there is 2 way to generate & verify the token, we can use :
1. Symmetric Algorithm
In a Symmetric Algorithm, a single key is used to encrypt the data. When encrypted with the key, the data can be decrypted using the same key. for example, Fahad encrypts a message using the key โmy-secret-key321โ and sends it to Zaid, he will be able to decrypt the message correctly if and only if he uses the same key which is โmy-secret-key321โ. Thatโs it.
2. Asymmetric Algorithms
In an Asymmetric Algorithm, two keys are used to encrypt and decrypt messages. a Private key & a Public Key. Private key is used to encrypt digitally sign the message and the Public key is use for decrypt or verify the authenticity of the signature. Usually this approach call RSA. RSA is an asymmetric encryption and digital signature algorithm. What asymmetric algorithms bring to the table is the possibility of verifying or decrypting a message without being able to create a new one. This is key for certain use cases.
Implementation in Node.js ๐ทโโ๏ธ
Today we gonna focusing on Asymmetric Algo or using RSA style, usually this approach is use in Microservices Architecure when we build auth service and need to verify in another service in secure way. So the TODO list is:
We need setup nodejs project (a REST API server) doesnโt matter what framework you use, itโs up to you.
Install mandatory dependency
- jsonwebtoken : use for generate / verify the token
- rsa-pem-to-jwk : use for converting pem to jwk json (is optional but more secure compare to using naked public.pem)
- jwk-to-pem : use for converting jwk back to original public key (for decryption)
- Generate Private & Public key
in your project directory type here to generate private & public pem:
openssl genrsa -out private.pem 3072 |
- Generate JWT Token with private.pem
Itโs time to generate JWT token, this code called when your client hit the register / login endpoint.
const jwt = require("jsonwebtoken"); |
Thatโs it. When you wanna decrypt the token simply bring the public.pem copy paste it to another services and you ready to go for verification process. The code look like this:
const jwt = require("jsonwebtoken"); |
- Generate JWK & Store in secure place ๐๏ธ
This is optional, you can just stop in previous step and use naked public.pem. But i think itโs more secure if we use JWK. A JWK or JSON Web Key is a JSON data structure that represents a set of public keys. After we generate JWK we can store on some secure place, for example AWS S3 or something, so we dont need bring public.pem file / copy paste in each service anymore when doing decryption process. To generate PEM to JWK iโm using rsa-pem-to-jwk library, here is the code:
const fs = require("fs"); |
After that, we just execute the file with node filename.js and will print out the JWK on the console. Grab that JWK object, save as a json file and put on your trusted place, for the simple way iโm storing on Google Cloud Storage and expose the token so our microservice can grab the token with axios or another http call library.
- Verify the JWK ๐ช
Last thing we need verify the JWK, this middleware will execute when your client hit a protected route. grabJwk() function basically is http call function that targeting to our JWK url. The code look like this:
const jwt = require("jsonwebtoken"); |
Thatโs it, ready to use in every service. Hope this recap useful. Stay safe & Bye ๐