(no title)

> thanks for writing this up! i have been looking at switching to PASETO instead of jwt

I'm glad to hear that! PASETO would solve all the cryptography issues I've described above.

> one thing though - the reason we use asymmetric encryption is to allow other clients to validate tokens without calling a central server

There seem to be two different usages of asymmetric JWT in OpenAUTH:

1. Asymmetric RSA signatures for access tokens. These tokens can be validated by any third party server which supports JWT. The tokens are SIGNED, but not ENCRYPTED. If you did encrypt them, then third party servers will not be able to verify the token without having the private key — which is obviously insecure.

This type of token would usually be asymmetric if you want to support multiple audiences ("resource servers" in OAuth 2.0 terms) with the same token. If you have just one audience, I would still make this token symmetric, unless key distribution is a problem. AWS JWT authorizer sucks[1], but you could write your own lambda authorizer. Google Cloud (Apigee)[2] and Azure API Management[3] natively support HS256/384/512, so this is mostly an AWS problem.

2. Asymmetric signature AND encryption for cookies. I guess these cookies are used for saving SSO state and PKCE verifier, but I didn't dive deeply into that. This cookie seems to be only read and written by the OpenAUTH server, so there is no reason for using asymmetric encryption, let alone using it with the same RSA keypair for both encryption and signature[4].

Since the cookie is only read by OpenAUTH, you can just use PASETO v4.local for this cookie.

---

[1] I wouldn't trust the security of a product which ONLY allows RSA, when they could have enabled safer protocols with a single line of code.

[2] https://cloud.google.com/apigee/docs/api-platform/security/o...

[3] https://learn.microsoft.com/en-us/azure/api-management/valid...

[4] https://crypto.stackexchange.com/questions/12090/using-the-s...