Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I'd like to be able to provide multiple valid secrets for a given request, preferably dynamically as well #310

Closed
dead-claudia opened this issue Dec 11, 2022 · 3 comments
Closed

I'd like to be able to provide multiple valid secrets for a given request, preferably dynamically as well #310

dead-claudia opened this issue Dec 11, 2022 · 3 comments

Comments

@dead-claudia
Copy link

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I'm looking for a way to migrate from one key to another without rejecting existing keys, to allow for short-lived secrets without disrupting users too much.

Describe the ideal solution

The easiest way to do this is to just have a period where you accept multiple secrets. The process would look something like this:

  1. Add key to list of accepted keys for both the issuer and consumer servers
  2. Update key issuer to use new key for issuing keys
  3. Wait for token lifespan plus a few minutes or so to account for clock differences
  4. Remove key from list of accepted keys for both the issuer and consumer servers

The API could just accept arrays of jwt.Secrets anywhere that type is accepted within this immediate module and offload the rest of that complexity to the callee.

Alternatives and current work-arounds

  1. Bite the bullet and just let every token fail to check.
  2. Fork this module. This is obviously far from ideal.

Additional context

Add any other context or screenshots about the feature request here.
@jfromaniello
Copy link
Member

This is a very common case, for which the secret parameter accepts either a secret or a GetVerificationKey callback.

https://github.com/auth0/express-jwt#retrieve-key-dynamically

Ideally you will have a map of KIDs (key-ids to secrets) and then use the kid header as follows:

var getSecret = async function (req, token) {
  const { kid } = token.header;
  return secrets[kid];
};

Notice is an async function so you could store this on a database etc.

At some point your api will stop accepting jwts signed with the old key.

@dead-claudia
Copy link
Author

Thanks! I have no idea why I didn't think of that.

It might be worth calling out in the README in that section as well as an example so others can see how it'd be done.

@jfromaniello
Copy link
Member

Good call, thank you. I added an example in the readme

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfromaniello @dead-claudia