Where to get the public and the private key for JSON Web Token and JSON Web Signature ?

[bunlongheng]

I noticed in the bottom on post it require the private and the public key.

How and where do we get those from ?

Should we request them from the Auth Provider ?

use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\Signer\Rsa\Sha256; // you can use Lcobucci\JWT\Signer\Ecdsa\Sha256 if you're using ECDSA keys

$config = new Configuration();
$config->setSigner(new Sha256()); // Change the signer to RSA SHA256

$signer = $config->getSigner();
$privateKey = new Key('file://{path to your private key}');

$token = $config->createBuilder()
                ->issuedBy('http://example.com') // Configures the issuer (iss claim)
                ->canOnlyBeUsedBy('http://example.org') // Configures the audience (aud claim)
                ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
                ->issuedAt(time()) // Configures the time that the token was issue (iat claim)
                ->canOnlyBeUsedAfter(time() + 60) // Configures the time that the token can be used (nbf claim)
                ->expiresAt(time() + 3600) // Configures the expiration time of the token (exp claim)
                ->with('uid', 1) // Configures a new claim, called "uid"
                ->sign($signer,  $privateKey) // creates a signature using your private key
                ->getToken(); // Retrieves the generated token

$publicKey = new Key('file://{path to your public key}');

var_dump($token->verify($signer, $publicKey)); // true when the public key was generated by the private one =)

Any hints or direction on this will be appreciated !

[Ocramius]

@bunlongheng public and private keys are supposed to be known upfront.

The private key is to never be exposed to people outside the deployment environment (only "secret keepers", such as system administrators, should know them) where tokens are to be generated. The public key can be publicly distributed and passed around your system.

[bunlongheng]

@Ocramius : So if I don't have the private key and the public key. Should I request for one in order to proper configure this JWT integration ?

[Ocramius]

Should I request for one in order to proper configure this JWT integration ?

You can generate a keypair. A symmetric key (private key === public key) is generally sufficient for most setups, as long as you keep the key secret. You can generate such a key with https://github.com/AndrewCarterUK/CryptoKey, for example.

If you want to generate asymmetric keys (private/public key differ), then you can use openssl (see https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL)

[Ocramius]

@lcobucci this is possibly something we should link in the README, since crypto keys are not always a clear concept.

[geggleto]

I would say using LibSodium once there's a polyfill for native php... I think Scott was working on one :)

[Ocramius]

@geggleto I'll start endorsing libsodium when it doesn't require users to install a custom extension :-P

Yes, I know there's an RFC for it, but please read above: some users are simply not aware of such tools, and will likely react with a "WTF" when told to install obscure stuff. FWIW, for a symmetric key, trying to quit vim is sufficient entropy.

[geggleto]

@Ocramius Scott was working on a userland polyfill :)

[Ocramius]

Throw it at @AndrewCarterUK's lib then, not here ;-)

[geggleto]

I don't know if it has had a security review, but in the README it mentions if you have openssl then don't use this...

And yet on a security blog... https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong The Insecure Default That Bites Everyone ...

It seems to be the more ethical thing to do would be to point users in a general direction for them to read up on and make their own choice for Crypto.

[Ocramius]

@geggleto send a PR with a link to be added to the README. Discussing on whether /dev/urandom or openssl or a mistyped <ESC>:q! will produce enough entropy is not for this thread :-P

Meanwhile, closing.

[lcobucci]

Now that I read this issue (shame on me).

@lcobucci this is possibly something we should link in the README, since crypto keys are not always a clear concept.

@Ocramius I think #88 covers that (maybe we can add some additional info there).

[bradchesney79]

In Laravel apps... check your storage/ directory under your project root for your public/private keys.

This doesn't necessarily apply to the issue described above; however, due to this being the first result for several of my google searches...

This JWT library is the one Laravel passport uses, if you want to dig into a token at a level Laravel doesn't necessarily facilitate, this library makes it easier. Maybe I can save other people some time by my misusing the issue comments here. Sorry, thank you, you're welcome.

$ grep -rn oauth-public .
./vendor/laravel/passport/src/Console/KeysCommand.php:36:            Passport::keyPath('oauth-public.key'),
./vendor/laravel/passport/src/PassportServiceProvider.php:218:                $this->makeCryptKey('oauth-public.key')