Self-Signed JWTs

Back in the day I worked at a place that had HMAC signing on an http endpoint.

50% of the support issues were because people could not properly sign requests and it caused me to learn how to make http in all sorts of crap to help support them.

> sign a JWT per request

That's interesting - why do it this way rather than including a "reusable" signed JWT with the request, like an API token? Why sign the whole request? What does that give you?

Also what made that API so nice? Was this a significant part of it?

> Unfortunately they represent a huge usability hit over API Keys for the average joe. Involving cryptography to sign a JWT per request makes an API significantly harder to consume with tools like Postman or CURL.

Just generate the JWT using, e.g. https://github.com/mike-engel/jwt-cli ? It’s different, and a little harder the first time, but not any kind of ongoing burden.

You can even get Postman to generate them for you: https://learning.postman.com/docs/sending-requests/authoriza..., although I have not bothered with this personally.

Which, unless I'm missing something, undercuts the entire article? The private key, in the generated keypair, is the thing that you can then never commit to your VCS.

When you "register" the public key with whatever the relying party is, you're also likely going to bind it to some form of identity, so you can't leak this private key to others, either. (And I'm curious, of course, how the relying party comes to trust the public key. That call would seem to require its own form of auth, though we can punt that same as it would be punted for an API key you might download.)

Yes.

and it’s easy to do keypair generation in the browser using subtle crypto. That API doesn’t provide jwk generation, but seems like it would be relatively easy to do even without the jose module. And the browser cab “download” (really just save) the keypair using the Blob API. Keys need not leave the browser.

An api developer portal could just offer - generate a new keypair? - upload your existing public key?

…As a choice. Either way the public key gets registered for your account.

The end. Easy.

This is actually how GCP has always done service account authentication. A GCP service account key is an asymmetric keypair and Google stores the public key. AWS is somewhat similar, but they use an symmetric HMAC so they store the same secret key you use.

Even better if they would take a private CA cert.

This is similar to ssh key auth. (Pubkey, privkey)

Even better: Imagine a world where you could just host your public keys on e.g. mydomain.com/.well-known/jwks.json, you register with a service provider with me@mydomain.com, then the service automatically pulls public keys from that. Then, all you have to do is sign new keys with an appropriate audience like aud:"serviceprovider.com".

And for the public email providers, a service like Gravatar could exist to host them for you.

Wouldn't that be nice.

The key distinction I am getting at is: self-signed as in “signed with a self-issued key pair”, as opposed to using an API key/credential that has been issued to you

They're not constrained that way at all. The communication between browsers and various passkey-holding software and hardware is an open standard. There are open-source apps that can hold and sync passkeys. I don't know why everyone keeps repeating this obvious falsehood.

Yeah, I am sort of a fan of Passkeys in principal, but they are domain bound (you can't use them across domains).

I wish there were something built into browsers that offered a scheme where your pubkey = your identity, but in short there are a lot of issues with that

I wish someone would have used keycloak at my place. They decided to write it all by hand instead.

Fair. I assume you mean asymmetric key cryptography and not JWKs in particular? JOSE is a pretty good library if you need the latter and you’re already working in JS

> What am I missing here that makes this a better fit?

From a cursory read, the answer is "it doesn't".

The blogger puts up a strawman argument to complain about secret management and downloading SDKs, but the blogger ends up presenting as a tradeoff the need to manage public and private keys, key generation at the client side, and not to mention services having to ad-hoc secret verification at each request.

This is already a very poor tradeoff, but to this we need to factor in the fact that this is a highly non-standard, ad-hoc auth mechanism.

I recall that OAuth1 had a token generation flow that was similar in the way clients could generate requests on the fly with nonces and client keys. It sucked.

(Author here) The JWT signer should be the authority setting claims, so if your server is the authority and the client is untrusted, the server can provide the client a pre-signed JWT with the claims it needs, and the client can send that along with requests to the API.

But this scheme is flexible. You could also have the client send "requested" claims for the server to consider adding if allowed when getting a JWT.

You could also reverse-proxy client requests through your server, adding any claims the server allows.

Some engineers forgot the secret/salt part of generating the jwt. Sometimes you can just pack some claims in there and encode it and it works!!

The things that change are:

1. With self-signed JWTs, you could start consuming APIs with free tiers immediately, without first visiting a site and signing up. (I could see this pattern getting traction as it helps remove friction, especially if you want to be able to ask an LLM to use some API).

2. Compare this scheme to something like the Firebase SDK, where there's a separate server-side "admin" sdk. With self-signed JWTs, you just move privileged op invocations to claims – consuming the API is identical whether from the client or server.

3. The authority model is flexible. As long as the logical owner of the resource being accessed is the one signing JWTs, you're good. A database service I'm working on embeds playgrounds into the docs site that use client-generated JWKs to access client-owned DB instances.

Yes you can create unsigned JWTs. Don't do that and don't accept any such tokens as valid (which would be the even bigger facepalm worthy mistake).

Just do it right (and at this point it is widely documented what the pitfalls are here), comply with the widely used and commonly supported standards, and follow the principle of the least amount of surprise. Which is kind of important in a world where things need to be cross integrated with each other and where JWTs, JOSE, and associated standards like OpenID connect are basically used by world+dog in a way that is perfectly secure and 100% free of these issues.

Honestly, it's not that hard.

The paradox with Paseto is that if you are smart enough to know what problem it fixes, you shouldn't be having that problem and also be smart enough to know that using "none" as an algorithm is a spectacularly bad idea. You shouldn't need Paseto to fix it if you somehow did anyway. And of course you shouldn't be dealing with the security layer in your product at all if that is at all confusing to you.

Haven't heard of PASETO, but I'll check it out. I'd say JOSE is an implementation detail of what I'm advocating for, so very open to alternatives.

Modern day AV software:

    isCornography = url.contains("corno") || url.contains("body") || url.contains("self");
    isVirus = url.contains("virus") || competitorUrlRegex.matches(url);

Did you contact Fortinet since you're the one that apparently utilizes them?

Bummer. Not sure what I can do about that, but I assure you it is not pornography!