-
-
Notifications
You must be signed in to change notification settings - Fork 595
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Where to get the public and the private key for JSON Web Token and JSON Web Signature ? #158
Comments
@bunlongheng public and private keys are supposed to be known upfront. The private key is to never be exposed to people outside the deployment environment (only "secret keepers", such as system administrators, should know them) where tokens are to be generated. The public key can be publicly distributed and passed around your system. |
@Ocramius : So if I don't have the private key and the public key. Should I request for one in order to proper configure this JWT integration ? |
You can generate a keypair. A symmetric key (private key === public key) is generally sufficient for most setups, as long as you keep the key secret. You can generate such a key with https://github.com/AndrewCarterUK/CryptoKey, for example. If you want to generate asymmetric keys (private/public key differ), then you can use |
@lcobucci this is possibly something we should link in the |
I would say using LibSodium once there's a polyfill for native php... I think Scott was working on one :) |
@geggleto I'll start endorsing libsodium when it doesn't require users to install a custom extension :-P Yes, I know there's an RFC for it, but please read above: some users are simply not aware of such tools, and will likely react with a "WTF" when told to install obscure stuff. FWIW, for a symmetric key, trying to quit vim is sufficient entropy. |
@Ocramius Scott was working on a userland polyfill :) |
Throw it at @AndrewCarterUK's lib then, not here ;-) |
I don't know if it has had a security review, but in the README it mentions if you have openssl then don't use this... And yet on a security blog... https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong The Insecure Default That Bites Everyone ... It seems to be the more ethical thing to do would be to point users in a general direction for them to read up on and make their own choice for Crypto. |
@geggleto send a PR with a link to be added to the Meanwhile, closing. |
In Laravel apps... check your storage/ directory under your project root for your public/private keys. This doesn't necessarily apply to the issue described above; however, due to this being the first result for several of my google searches... This JWT library is the one Laravel passport uses, if you want to dig into a token at a level Laravel doesn't necessarily facilitate, this library makes it easier. Maybe I can save other people some time by my misusing the issue comments here. Sorry, thank you, you're welcome.
|
I noticed in the bottom on post it require the private and the public key.
How and where do we get those from ?
Should we request them from the Auth Provider ?
Any hints or direction on this will be appreciated !
The text was updated successfully, but these errors were encountered: