Can I set all secret keys to the same value? And reuse a CookieSigner?


#1

Hi,

I’m upgrading from v3 to v4 and have 3 quick questions (quick if you know the answers already :- ))

Q 1: In the config file, there are many different keys:

  authenticator.cookie.signer.key = "[changeme]" // A unique encryption key
  authenticator.crypter.key = "[changeme]" // A unique encryption key

  oauth1TokenSecretProvider.cookie.signer.key = "[changeme]" // A unique encryption key
  oauth1TokenSecretProvider.crypter.key = "[changeme]" // A unique encryption key

  oauth2StateProvider.cookie.signer.key = "[changeme]" // A unique encryption key

Can I set all of them to the value of play.crypto.secret?
Or is there any upside in using a unique value for each key?


Q 2: Can I reuse the same cookie signer? Like I do in the code snippet below.
––> shows where it’s created, used, and used once again.

Q 3: The cookie signer pepper — it’s OK for me to hardcode it, as shown below, on the ==> line?

import com.mohiva.play.silhouette.{api => sia, impl => sii}

...

––>   private val CookieSigner = new com.mohiva.play.silhouette.crypto.JcaCookieSigner(
        com.mohiva.play.silhouette.crypto.JcaCookieSignerSettings(
==>       key = Globals.applicationSecret, pepper = "sil-pepper-kfw93KPUF02wF"))

      private val Crypter = new com.mohiva.play.silhouette.crypto.JcaCrypter(
        com.mohiva.play.silhouette.crypto.JcaCrypterSettings(key = Globals.applicationSecret))

      private val Oauth2StateProvider = new sii.providers.oauth2.state.CookieStateProvider(
        sii.providers.oauth2.state.CookieStateSettings(
          cookieName = OauthStateCookieName, secureCookie = Globals.secure),
        new sii.util.SecureRandomIDGenerator(),
 ––>    CookieSigner,
        sia.util.Clock())

      private val OAuth1TokenSecretProvider = new sii.providers.oauth1.secrets.CookieSecretProvider(
        sii.providers.oauth1.secrets.CookieSecretSettings(
          cookieName = "dwCoOAuth1TokenSecret", secureCookie = Globals.secure),
 ––>    CookieSigner,
        Crypter,
        sia.util.Clock())


Thanks for building Silhouette, and best wishes with the plans to make it work outside of Play.

Regards,
KajMagnus


#2

Hey @kajmagnus,

nice to see you back after a while!

It’s not recommended to use the same key for multiple purposes. I’ve explained the reasons in this post. I think the first answer answers your second question. If you use different crypto keys, then you normally do not need to change the pepper. But if you like, then you can hardcode it.

Best regards,
Christian


#3

Hi Christian, thanks, and thanks for the info + link :- )