How update JWT shared secret?

Hi!

I am considering using the JWT authenticator.
However, I don’t know how to update a sharedSecret without restarting the application and use multiple(old and new) sharedSecrets together.

Is there a recommended way?

Hi,

this use cases is currently not implemented. Currently there is only one shared request supported which must be passed in the config of the authenticator service. It would be possible to implement a secret service which can hold multiple secrets and instead of passing a single secret, the service could be passed. But how should the authenticator service check for the right secret to use. Should it try all secrets until one is able to decrypt the JWT? Looks like a lot of overhead.

Best regards,
Christian

Thank you for replying!
I understood.

I am a beginner about JWT certification.
While studying JWT certification, I read an article that we need to update secret key regularly for safety, and need to consider JWT token signed with the old secret key.


Should it try all secrets until one is able to decrypt the JWT?

I came up only the method. I also thought it was necessary to allow overhead.

What do you think of secret regularly renewals and the tokens signed with old private keys (Should I throw it away?)?

Generally, it’s a good advise to rotate keys to mitigate security breaches. If you search through the web then there are good articles that describe how key rotation can be implemented for JWTs. A very good explanation can be found under the point Cryptographic key management in the post: https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html

As a workaround, as long as Silhouette doesn’t support key rotation, I would choose a very strong secret.

Thank you so much!!

I understand very well.

https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html

And this is very useful to me!
I will consider the best way for my project.

Hi,
I have the same question.
I got KeyLengthException: ‘The secret length must be at least 256 bits’ since I updated silhouette to version 6.
I know I have to use longer secret, but if I do so, old tokens from old secret will be invalid.
How can I update 256 bits length secret without affecting old users?

Thank you

Hi,

Is this a huge issue for you if old users must login again? In my opinion, a token should changed periodically, to mitigate the security risk.

Best regards,
Christian

Hi akkie,

Thanks for your reply.
You are right, I should have handle invalid token.

I can certainly navigate users to login again if token is invalid in next app update, but the challenge is,
I cannot guarantee that “every” users have the update.
So it looks like the only way to solve this issue is to wait for a long enough time, like three mouths, then I can finally update silhouette to version 6.
not a good solution tho…