Does anyone have a full working example of signing JWTs? I guess this is partly a question about the process too… this is related to earlier work I did (and this other post).
When you complete a sign-in with Google, you are given a JWT. You can can look up the PEM that was used to sign the key at https://www.googleapis.com/oauth2/v1/certs
And that can be used to verify that the JWT has not been tampered with.
There’s this Elixir example:
key = 'the shared secret key here' message = 'the message to hash here' signature = :crypto.hmac(:sha256, key, message) # to lowercase hexits Base.encode16(signature, case: :lower)
When you’re dealing with a JWT, the message is a Base64 encoding of the JSON header + the JSON claims. But what’s the
key in this scenario? When Google lets us query its PEM, what is in that PEM? Is it a private key? A public key? Or a combination? And what gets used to sign the JWT?
I’m writing tests around this stuff, so I need to be able to generate a public + private key, convert them (or one of them?) to PEM format, and then properly sign the key so that the JWT can be properly checked.