A Simple Guide to Creating JWT RS256 Signatures

JWT (JSON Web Token) is widely used for securing web applications. It ensures that data is authentic and hasn’t been tampered with. When using the RS256 algorithm, JWT relies on public-private key pairs to sign and verify tokens.

In this blog, we’ll walk through how to manually create RS256 signatures in a simple and easy-to-follow way. By the end, you’ll understand how it all works behind the scenes.

Mastering in JSON Web Token ( JWT )
Understanding JWT Algorithms: HS256, RS256, and None
How to use JWT Token Safely
A Simple Guide to Creating JWT HS256 Signatures

What is RS256 algorithms ?

RS256 stands for “RSA Signature with SHA-256.” It is an asymmetric signing algorithm, which means it uses a pair of keys: a private key for signing the token and a public key for verifying it. This method is more secure than symmetric algorithms (like HS256) because the private key is kept secret, while the public key can be shared with anyone who needs to verify the token.

Creating an RS256 Signature Manually:

• Step1: make sure OpenSSL installed on your system.

• Step2: Run the following command to generate a private key:

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

This command creates a private key file named private_key.pem using the RSA algorithm with a key size of 2048 bits.

• Step3: Run the following command to generate a public key:

openssl rsa --pubout -in private_key.pem -out public_key.pem

This command creates a public key file named public_key.pem from the private key.

• Step 4: Prepare Your Header and Payload

First, we need to create the header and payload. The header for HS256 looks like this:

{
  "alg": "HS256",
  "typ": "JWT"
}

The payload can contain any claims you want. For example:

{
  "sub": "1234567890",
  "name": "InfoSecSecure",
  "iat": 1516239022
}

• Step 5: Base64Url Encode the Header and Payload

Next, we need to convert the header and payload into a Base64Url format. This is similar to Base64 encoding but replaces + with – and / with _, and it also removes any trailing = characters.

Header Base64Url value: eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9
Payload Base64Url value: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9.

• Step 6: Create the RS256 Signature

Run the following command to generate the signature part:

echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9" \
| openssl dgst -sha256 -sign private_key.pem -binary | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' | sed -E 's/=+$//'

Now we have the Base64Url encoded signature, we can create the final JWT by combining the header, payload, and signature:

JWT = header + "." + payload + "." + signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9.fku05f9hDrPJoZGgb4ATOOHg7Lbwdp3U6v6Cws1S1LET-rr0C6xRypUC4BeIDYCQQ3R021QsjCwmqoFU4jM7w4LwQluOTuFjDfoxnrQnVeMVHwsr0-t11mpdCq2mFoYrG-AhH2gBWMZOWx0NaQ2kq9QN_JYf97M3IeoFxRizxBFpoZWQ84_Lqhr3ajsGfKsNDs3xY62J8gAgahcVyT5FFEhAHTuwgblbxjR8izmuVFXTlrINOwwfbp-KkOAoAcEiAEIZB8GqHWCgPGUAZiMaXwlQ-crbT3IDW_16dqSCgg4Rk5_fW2qvh0ISa5ArjvRB0vPzKsirUy3tlrg4OUrJ-Q

• Step 7: Verify the JWT

To verify the JWT, we will use the public key. This ensures that the token was signed with the corresponding private key and has not been tampered with. Run the below following command..

echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9" \
| openssl dgst -sha256 -verify public_key.pem \
-signature <(echo -n "fku05f9hDrPJoZGgb4ATOOHg7Lbwdp3U6v6Cws1S1LET-rr0C6xRypUC4BeIDYCQQ3R021QsjCwmqoFU4jM7w4LwQluOTuFjDfoxnrQnVeMVHwsr0-t11mpdCq2mFoYrG-AhH2gBWMZOWx0NaQ2kq9QN_JYf97M3IeoFxRizxBFpoZWQ84_Lqhr3ajsGfKsNDs3xY62J8gAgahcVyT5FFEhAHTuwgblbxjR8izmuVFXTlrINOwwfbp-KkOAoAcEiAEIZB8GqHWCgPGUAZiMaXwlQ-crbT3IDW_16dqSCgg4Rk5_fW2qvh0ISa5ArjvRB0vPzKsirUy3tlrg4OUrJ-Q" \
| sed 's/-/+/g' | sed 's/_/\//g' | awk '{ padding = (4 - length % 4) % 4; printf "%s%s", $0, substr("===", 1, padding) }' | base64 -d)

Congratulations! We have successfully created an RS256 signature for a JSON Web Token (JWT) using OpenSSL. Here’s a quick recap of what we did:

• Installed OpenSSL: We ensured that OpenSSL installed on our machine.

• Generated RSA Keys: We created a private key for signing and a public key for verification.

• Created the JWT Header and Payload: We defined the structure of our JWT.

• Created the RS256 Signature: We signed the JWT using the private key and converted the signature to Base64Url format.

• Verified the JWT: We used the public key to verify that the JWT was valid and had not been tampered with.

Why Should Use RS256 Algorithms ?

Using RS256 for signing JWTs provides several benefits:

• Security: The private key is kept secret, while the public key can be shared. This means that only the holder of the private key can sign tokens, while anyone with the public key can verify them.

• Integrity: The signature ensures that the token has not been altered in transit.

• Scalability: Multiple services can verify the token using the public key without needing access to the private key.

Understanding how to create and verify RS256 signatures is an essential skill for developers working with secure web applications. By following the steps outlined in this guide, you can implement secure authentication mechanisms in your applications using JWTs.

Understanding RS256 is essential if you’re building secure systems that require authentication and authorization. Happy signing! 🎉