Home > OS >  ASP.NET Core JWT - what't the difference between HmacSha512 and HmacSha512Signature algorithms?
ASP.NET Core JWT - what't the difference between HmacSha512 and HmacSha512Signature algorithms?

Time:11-27

There're these two similar options in SecurityAlgorithms class. Which one should be used for signing JWT token? Is there any difference?

CodePudding user response:

There's no functional difference for JWTs; under the hood, HmacSha512Signature gets converted to HmacSha512.

My limited understanding is that they're different constants that represent the same underlying algorithm. The Signature versions are identifiers for representing the algorithm in XML, while the ones without the suffix map to the algorithm identifiers used by JWT.

Old documentation contains a remark on using the algorithms ending in 'Signature' for the signature argument, but the latest documentation no longer contains that remark. I suspect the Signature version was kept around for legacy and backwards compatibility reasons.

CodePudding user response:

The difference will be in the header of the token and specifically in the alg attribute. When you use HmacSha512 the header will look like this:

{
  "alg": "HS512",
  "typ": "JWT"
}

But when you use HmacSha512Signature the header will look like this:

{
  "alg": "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512",
  "typ": "JWT"
}

You can confirm that using https://jwt.io/.

I found out that many libraries, mainly outside .NET, do not support http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 as a valid value for the alg attribute because it is not included in the JSON Web Algorithms RFC.

For example: https://github.com/auth0/node-jsonwebtoken/issues/662

So personally I decided to use HmacSha512.

  • Related