search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.51k stars 1.12k forks source link

Why do we need public/private keys for AuthorizationServer #1265

Closed Gelembjuk closed 2 years ago

Gelembjuk commented 2 years ago

I have created the oauth2 app using this library. It works. But i still can not understand why do i need private/public keys pair to have this working. I do not see any public key exposed with my oauth2 integration. If it is used only internally than can i know for what? Can i use the library without keys?

I am asking because i think how to deliver my app to users and i need to understand if i really need that keys generated for every of them. Thanks

olivernybroe commented 2 years ago

As far as I understand the private key is used to create the JWT access token. You then need the public key on resource servers for validating the access token.

eugene-borovov commented 2 years ago

AuthorizationServer requires private key to sign access token and encryption key to encode refresh token. Resource server requires public key to verify access token.

Gelembjuk commented 2 years ago

What if my Resource server and AuthorizationServer are both parts of same app. I do not need this extra verification. Can i skip usage of keys pair? In my case i just do not need it

olivernybroe commented 2 years ago

@Gelembjuk If they are the same server, then why use Oauth and not just a session?

If you use OAuth it is needed, as how should your server be able to create the access token and validate it without having the certificate?

eugene-borovov commented 2 years ago

There is no legal way to skip this steps. But you may extend Resource and Authorization Server to skip usage of key pair and implement AuthorizationValidatorInterface to disable signature verification.

I think this will lower the security level, because the token is walking on the wild Internet. Maybe simple jwt auth is your case?

Sephster commented 2 years ago

As the others have noted, this really is a fundamental requirement for the OAuth Server to work. The mechanism lets the resource server know that the JWT was created by the authorization server as your auth server should be the only one in possession of the private key. If you don't need this key pair, I suspect OAuth 2 isn't the right solution for your problem.