Asymmetric JWT Signing using AWS KMS

Asymmetric JWT Signing using AWS KMS

Node.js implementation using an asymmetric encryption key stored on AWS KMS to sign JWT tokens and verifying them using the public key.

How to sign your JWT tokens without exposing your private key using AWS KMS

Image for post


Node.js implementation using an asymmetric encryption key stored on AWS KMS to sign JWT tokens and verifying them using the public key. You can skip to the solution architecture.

JWT, Token Verification, and You

JWT tokens are an industry-standard, used mainly for user authentication.

It’s basically a JSON block with a signature attached, which allows you to verify that the content of the JSON was not tempered with. In the most common case, when your user logs in she gets a JWT token that is added to every request she sends, and this token is used to verify her identity.

How do you verify that your user is really who she claims to be? You take the signature from the JWT token and using your encryption key, you verify that it matches the content of the JSON. That’s called Token Verificaiton. The process of the creation of the signature in the first place is called Signing.

In order to sign and verify the token, you need an encryption method — either a symmetric or asymmetric (also called Public-Key encryption). In symmetric encryption, you’ll use the same key to sign and verify your token. In asymmetric encryption, you’ll use your private key to sign the token, and the public key to verify it.

What are we trying to solve?

Given a private key (either a symmetric or asymmetric), signing and verifying a string is quite simple, and there are multiple libraries for that.

However, to use most of these libraries you’ll need to have access to your secret key in order to sign the message (and if you’re using symmetric encryption, also to validate it). This is where things start to get messy: you need to keep your secret key somewhere that is reachable by your code, and at the same time, you’ll need to add a lot of protection layers on it to make sure no one gets his hands on it.

So what we want to solve is this: How to minimize the access to your private key and still be able to use it without too much fuss.

The first part of the solution is to use asymmetric encryption. In asymmetric you only need the private key to sign the token. The validation phase only requires the public key, and that can be, well, publicly available. This split will minimize the number of functions that need to access the private key.

The second part of the solution is to use AWS’s KMS service, which allows you to generate keys and use the KMS API to sign/validate messages without ever having direct access to the private key. Yes, that’s right: you’re generating a new private key, but you never get the private key. All you can do is ask AWS to use your key in order to sign or validate a token.

Let’s see how to do that.

cloud encryption jwt aws development

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Hire AWS Developer

Looking to Hire Professional AWS Developers? The technology inventions have demanded all businesses to use and manage cloud-based computing services and Amazon is dominating the cloud computing services provider in the world. **[Hire AWS...

Hire Dedicated AWS Developer

Want to Hire AWS Developer for cloud computing services? At **[]( "")**, we leverage maximum benefits from the AWS platform ensuring prominent Solutions for business requirements....

Multi-cloud Spending: 8 Tips To Lower Cost

Mismanagement of multi-cloud expense costs an arm and leg to business and its management has become a major pain point. Here we break down some crucial tips to take some of the management challenges off your plate and help you optimize your cloud spend.

AWS Cloud Practitioner | AWS Certified Cloud Practitioner - Full Course

AWS Cloud Practitioner tutorial will give you a complete understanding of the AWS Cloud platform and help you prepare for the AWS Certified Cloud Practitioner Examination (a.k.a AWS CCP Examination). This AWS course is intended for individuals who need the knowledge and skills necessary to effectively demonstrate an overall understanding of the AWS Cloud, independent of specific technical roles addressed by other AWS Certifications.

Top 10 AWS Cloud Migration Tools and Services

Take a look at some of the top cloud migration services you can use to migrate your services from on-premises to AWS Cloud. You need to understand the general terms of this field.