top | item 44762736

(no title)

danscan | 7 months ago

(Author here) The JWT signer should be the authority setting claims, so if your server is the authority and the client is untrusted, the server can provide the client a pre-signed JWT with the claims it needs, and the client can send that along with requests to the API.

But this scheme is flexible. You could also have the client send "requested" claims for the server to consider adding if allowed when getting a JWT.

You could also reverse-proxy client requests through your server, adding any claims the server allows.

discuss

danscan|7 months ago

In some apps, the client may be the signing authority (e.g. it owns the resource it's accessing).

In that case, the client can possess the JWK keypair and do its own signing.