Since it is preferred to sign-then-encrypt I was wondering how can another party validate that the message is valid?
The use case I had was the following...
- Client authenticates and gets the access token, the access token is a signed JWT from authorization server
- Client verifies that the JWT is signed by a key that the client recognizes
- Client sends requests with the JWT passed on the header as Bearer token.
- when server receives the request, it does a quick check to see if JWT is signed by a key that the resource server recognizes.
Now I want to change that so that the client doesn't need to see the content.
- Client authenticates and gets the access token, the access token is JWE from authorization server. Encrypted with public key of resource server.
- IS THIS POSSIBLE? Client verifies that the JWE is signed by a key that the client recognizes
- Client sends requests with the JWE passed on the header as Bearer token.
- IS THIS POSSIBLE? Resource Server verifies that the JWE is signed by a key that the resource server recognizes
- Resource server decrypts the JWE to get the JWT claims.
Given the use case above, it makes more sense to encrypt-then-sign, or sign-encrypt-then-sign.
