Starting with `3.2.0` it is possible to pass in array of secret keys.

Question

Starting with `3.2.0` it is possible to pass in array of secret keys.

Dadinos opened this issue 2 years ago · 4 comments

    > Starting with `3.2.0` it is possible to pass in array of secret keys. The middleware then chooses the correct key based on the `kid` claim in the token header. For example:

$middleware = new JwtAuthentication([
    "secret" => [
        "acme" =>"supersecretkeyyoushouldnotcommittogithub",
        "beta" =>"anothersecretkeyfornevertocommittogithub"
    ]
]);

Token with this header would use the supersecretkeyyoushouldnotcommittogithub as secret key.

{
  "typ": "JWT",
  "alg": "HS256",
  "kid": "acme"
}

Is it possible when no kid is given we can fall back on a default key?

Originally posted by @Dadinos in #45 (comment)

Dadinos commented 2 years ago

Ok thanks

Answer 1 · 2022-10-22T11:24:43.000Z

It is not possible at the moment. Maybe one could be passed in settings with something like:

$middleware = new JwtAuthentication([
    "secret" => [
        "default" =>"anothersecretkeyfornevertocommittogithub",
        "acme" =>"supersecretkeyyoushouldnotcommittogithub",
        "beta" =>"anothersecretkeyfornevertocommittogithub"
    ]
]);

However I am not sure if this ends up to be a footgun. What is your use case?

Answer 2 · 2022-10-23T18:12:09.000Z

Some customers create there own tokens and are not willing to include the kid param.
So I have to validate the client based on the client_id in the payload with a default key.
I tried already, like you more or less proposed:

$middleware = new JwtAuthentication([
    "secret" => [
        "" =>"ifnokidisgiven",
        "acme" =>"supersecretkeyyoushouldnotcommittogithub",
        "beta" =>"anothersecretkeyfornevertocommittogithub"
    ]
]);

But no luck, So if a kid is given it needs to mach in this case acme or beta. No kid given use the empty or default one.

Would that be possible and does it make sense?

Answer 3 · 2022-10-25T11:12:03.000Z

Yes it makes sense. However, this middleware uses firebase/php-jwt for parsing and validating the token. I checked the code and it does not have a fallback mechanism to a default key if kid is missing.

One solution I can think of now is to suggest people using a default kid with value of default or something similar. If that is not possible maybe add another middleware which adds the default kid to the token before authenticating.