Verifying JWT with the RS256 algorithm using public key

[truonglx-56]

Can i read public key from file and verify token?

[potatosalad]

Yes, there are a few functions provided for reading JSON Web Keys from files:

• JOSE.JWK.from_file/1,2
• JOSE.JWK.from_oct_file/1,2
• JOSE.JWK.from_openssh_key_file/1
• JOSE.JWK.from_pem_file/1,2

Here is a list of examples of each of the signing and verification operations by algorithm type: https://hexdocs.pm/jose/JOSE.JWS.html#module-examples

If you're using RS256, for example, you might do the following:

public_jwk = JOSE.JWK.from_openssh_key_file("my-rsa-key.pub")
case JOSE.JWT.verify_strict(public_jwk, ["RS256"], token) do
  {true, jwt, _jws} ->
    # use the verified jwt claims however you would like...
    # NOTE: only the signature has been verified,
    #       things like token expiration are not part of this library
  _ ->
    # invalid token, do something else
end

Please let me know whether that works for you or if you have any other questions.

[truonglx-56]

read_key(RsaKey) -> case jose_jwk:from_pem_file(RsaKey) of {error, _} -> {undefined}; RsaPrivateKey -> jose_jwk:to_public(RsaPrivateKey) end.

Work for me, but when i check a expired token with: jose_jwt:verify_strict(RsaPublicKey, [<<"RS512">>], Token) return {true, _ , _ }.Second, when i change data in a claim, verify return {flase,,} ,although i didn't change key and use algorithm "RS512" .This is a bug or my fault?

[imranismail]

Same with me, expired token seems to work.