Jwt-auth: Multiple/Custom Secrets

Created on 11 Feb 2016  路  8Comments  路  Source: tymondesigns/jwt-auth

I want to use JWT-Auth, but I don't always want to use the same secret - my API will be used by at least two different types of client application, and it would be ideal if every client application could have its own secret (that way I don't invalidate the admin panel client if the embeddable client misbehaves, and vice versa). While I could abuse the "jti" or "aud" claims to accomplish this, I'd rather conform to JWT spec. And while I could arguably hack together some custom claim, it would just be easy, ideal, and more secure (in general) to be able to configure custom secrets.

I saw in #74 that this functionality was described as "outside the scope of this package."

How so?

It appears to me, that with a little doing, the secret specified in the JWT Provider could be modified programmatically by-route or by-route-group or what-have-you.

I would be glad to look into this and make a pull request with the result, but first I want to make sure this is functionality that the maintainers are willing to consider and that I haven't underestimated the proposed change.

picture fluffywaffles

Most helpful comment

Yep I actually added this a few days ago but hadn't pushed until now (https://github.com/tymondesigns/jwt-auth/commit/5d2fa1997c142c1c573f19a01bcc5ae74123827d)

as @tdhsmith has said you can now set the secret by doing the following 

JWTAuth::getJWTProvider()->setSecret('foobarbaz');
picture tymondesigns on 15 Feb 2016
6 👍5 🎉3

All 8 comments

Seems like giving Tymon\JWTAuth\Providers\JWT\Provider a getter and setter for $secret would be sufficient to make this change. Then you could switch the key by calling JWTAuth::getJWTProvider()->setSecret($secret).

I'm not a maintainer, so I can't rule on acceptability of the PR. But certainly you can implement it this way for yourself -- the provider paradigm is specifically so these sorts of things can be swapped in without requiring changes to the original library.

tdhsmith picture tdhsmith on 15 Feb 2016

The change does sound reasonable to me though. It seems like there are a few others wanting to maintain multiple distinct JWT relationships through a single Laravel app.

I guess there could be a can of worms around the corner if people want _every_ config value to be toggleable, because that might not be feasible or clean... But on a single-case basis this feels fine to me?

tdhsmith picture tdhsmith on 15 Feb 2016

Yep I actually added this a few days ago but hadn't pushed until now (https://github.com/tymondesigns/jwt-auth/commit/5d2fa1997c142c1c573f19a01bcc5ae74123827d)

as @tdhsmith has said you can now set the secret by doing the following 

JWTAuth::getJWTProvider()->setSecret('foobarbaz');
tymondesigns picture tymondesigns on 15 Feb 2016
6 👍5 🎉3

Awesome! @tymondesigns that's exactly what I need :smile:

fluffywaffles picture fluffywaffles on 16 Feb 2016

I'm relatively new to composer - do I need to wait for a tagged release in order to start using this, or is it "safe" to tell composer to track the develop branch? It seems to me like the former is preferable.

fluffywaffles picture fluffywaffles on 16 Feb 2016

I will be tagging an alpha release soon

tymondesigns picture tymondesigns on 16 Feb 2016

Hi, i dont see this method on my version, i have the "version": "0.5.9", how can i get this version?

antonioreyna picture antonioreyna on 7 Aug 2016

can you please add that method to the current master @tymondesigns thanks!

antonioreyna picture antonioreyna on 7 Aug 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

agneshoving picture agneshoving  路  3Comments
lbottoni picture lbottoni  路  3Comments
phamduong picture phamduong  路  3Comments
shah-newaz picture shah-newaz  路  3Comments
harveyslash picture harveyslash  路  3Comments