Recently I started to study the possibility of starting to use JSON Webtokens in my projects, given its advantages. From what I understand, there is a symmetric and an asymmetric way of generating the signature for the tokens. The symmetric seems to be the most common, I've seen in several examples, signing from the same key stored somewhere in the system (correct me if I'm talking bullshit), as for example in this line using the package jsonwebtoken with Node.js Express:
var token = jwt.sign(user, app.get('superSecret'), {
expiresInMinutes: 1440
});
Note that all signatures are based on superSecret
, previously stored in variable app
.
If this is the symmetric method, how would the asymmetric one be? I do not understand much about encryption, but I know that when we talk about asymmetric keys, there must be a pair of keys: a private key and a public key.
How would this fit into the authentication process of a web application? Could someone explain me and / or give an example of how JWT works with asymmetric signature?
And, for that purpose (authentication in a web app), which of the two methods is more secure?