How update JWT shared secret?

Hi!

I am considering using the JWT authenticator.
However, I don’t know how to update a sharedSecret without restarting the application and use multiple(old and new) sharedSecrets together.

Is there a recommended way?

Hi,

this use cases is currently not implemented. Currently there is only one shared request supported which must be passed in the config of the authenticator service. It would be possible to implement a secret service which can hold multiple secrets and instead of passing a single secret, the service could be passed. But how should the authenticator service check for the right secret to use. Should it try all secrets until one is able to decrypt the JWT? Looks like a lot of overhead.

Best regards,
Christian

Thank you for replying!
I understood.

I am a beginner about JWT certification.
While studying JWT certification, I read an article that we need to update secret key regularly for safety, and need to consider JWT token signed with the old secret key.


Should it try all secrets until one is able to decrypt the JWT?

I came up only the method. I also thought it was necessary to allow overhead.

What do you think of secret regularly renewals and the tokens signed with old private keys (Should I throw it away?)?

Generally, it’s a good advise to rotate keys to mitigate security breaches. If you search through the web then there are good articles that describe how key rotation can be implemented for JWTs. A very good explanation can be found under the point Cryptographic key management in the post: https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html

As a workaround, as long as Silhouette doesn’t support key rotation, I would choose a very strong secret.

Thank you so much!!

I understand very well.

https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html

And this is very useful to me!
I will consider the best way for my project.