JSON Web Tokens (JWTs) are tokens used to validate the identity of the requester and ensure the integrity of the retrieved information.

The user provides their authentication credentials to the client. The client then sends a request to the authentication server (Keycloak in our case), which validates the credentials.

Structure of a JWT

header.payload.signature

More precisely:

Base64UrlEncode(header).Base64UrlEncode(payload).Signature(Base64UrlEncode(header) + "." + Base64UrlEncode(payload), private_key)

• header = information about the algorithm used to sign the JWT
• payload = data (not encrypted)
• signature = ensures the data hasn't been altered (generated using the private key)

Be cautious with the data included in the payload, as it is not encrypted. Do not include sensitive information.

RS256

With RS256, a public/private key system is used to sign and validate the tokens. The private key is used by the authentication server to sign the JWT, and the public key is used to validate it.

The main advantage is that there's no need to share a secret key between microservices, reducing the risk of compromise. The public key is usually static and can be shared safely.

Resources

• credit
• JWT Guide
• python-jose docs
• JWT decoder
• Difference between RS256 and HS256
• JWT and rsa key
• pyjwt docs
• jwt with public-key-signature