How do I verify a HMAC or an RSA-SHA signature in client-side JavaScript?

Question

I am using JSON web tokens (JWT) for claims-based authentication. To hinder tampering I am also using JWS to digitally sign the token.

How can I verify the signature on the client-side (I am using the JWT for a SPA)?

And, in case I'd also use JWE, how could I decrypt the token client-side?

PS: Of course I know the answer: Just decrypt and / or verify using the matching algorithm … my question is more of how to accomplish this.

Answer 1

You could use JS lib and calculate with its help at client side : http://kjur.github.io/jsrsasign/

:)

Answer 2

Keep in mind if you're using HMAC this won't work because you'd have to share the secret with the client, which is not recommended because browsers can't keep secrets. With asymmetrical encryption, this isn't a problem because the browser can use the public key.