Closed Dadinos closed 1 year ago
tuupola
commented
1 year ago It is not possible at the moment. Maybe one could be passed in settings with something like:
$middleware = new JwtAuthentication([
"secret" => [
"default" =>"anothersecretkeyfornevertocommittogithub",
"acme" =>"supersecretkeyyoushouldnotcommittogithub",
"beta" =>"anothersecretkeyfornevertocommittogithub"
]
]);However I am not sure if this ends up to be a footgun. What is your use case?
Dadinos
commented
1 year ago Some customers create there own tokens and are not willing to include the kid param. So I have to validate the client based on the client_id in the payload with a default key. I tried already, like you more or less proposed:
$middleware = new JwtAuthentication([
"secret" => [
"" =>"ifnokidisgiven",
"acme" =>"supersecretkeyyoushouldnotcommittogithub",
"beta" =>"anothersecretkeyfornevertocommittogithub"
]
]);But no luck, So if a kid is given it needs to mach in this case acme or beta. No kid given use the empty or default one.
Would that be possible and does it make sense?
tuupola
commented
1 year ago Yes it makes sense. However, this middleware uses firebase/php-jwt for parsing and validating the token. I checked the code and it does not have a fallback mechanism to a default key if kid is missing.
One solution I can think of now is to suggest people using a default kid with value of default or something similar. If that is not possible maybe add another middleware which adds the default kid to the token before authenticating.
Dadinos
commented
1 year ago Ok thanks
Is it possible when no kid is given we can fall back on a default key?
Originally posted by @Dadinos in https://github.com/tuupola/slim-jwt-auth/issues/45#issuecomment-1273067475