Needs to support asymmetric key signatures over shared secrets

[Demuxx]

Currently, you are using a shared secret to validate the signature of the JWT messages. This entirely defeats the purpose of signing the message and would only be suitable if you were encrypting and not signing the message. The idea behind signing a message is that only the originator can generate the signature and that signature can be validated but not forged. In your implementation any node that needs to validate a signature must in turn be able to forge new ones, because it must know the shared secret.

Therefore, ruby-jwt should allow for the use of asymmetric key based signature generation and checking as outlined in the ruby stdlib OpenSSL documentation here: http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL.html#module-OpenSSL-label-Signatures. This will allow JWT consumers to verify requests without the ability to forge new ones.

[toshe]

the library already does support RSA key signing. use the source, luke!

require 'openssl'
some_private_key = OpenSSL::PKey::RSA.new File.read('path/to/my/private/and/secure.pem'), 'password_for_my_private_key'
rsa_signed_token = JWT.encode(
        {"exp" => Time.now.to_i+3600,
         "name" => "some_name"},
        some_private_key, "RS512")

You can then use the public key to verify the signatures.

And if you need to generate an RSA key pair the OpenSSL library has a very neat documentation:
http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL.html

[Demuxx]

Great, thanks for the information!

[kurtisnelson]

This should get put in the README, I had to google to find this.

[toshe]

contributing is not a crime, you know ;)

[excpt]

@kurtisnelson Thanks for bringing this up again. :)

The README / documentation really needs some updates. Working on it this weekend.

[excpt]

@prandium I improved the documentation and added a better example.