bbprojectnet
commented
4 years ago Hi, why You want to update secret?
Open darren19824 opened 4 years ago
bbprojectnet
commented
4 years ago Hi, why You want to update secret?
SherinBloemendaal
commented
4 years ago This is expected behaviour, its the concept of JWT. Thanks to the signature (secret) you can validate if the token is valid. Changing your signature will also invalidate all previously signed jwt tokens because the signatures does not match.
You can compare it with a door, it has the same principle. As soon as you change your lock, the key no longer works. So changing your signature wil invalidate the token.
JeroenvdV
commented
3 years ago If it is possible to have multiple parallel versions of the auth guard with separately configured keys, then you can continue to accept both. I'm not sure if this is possible. To illustrate; in config/auth.php you would put:
'guards' => [
'api_new_key' => [
'driver' => 'jwt',
'provider' => 'users',
],
'api' => [
'driver' => 'jwt',
'provider' => 'users',
],
],To accept both in a route you can use: ->middleware(['auth:api,api_new_key',])
Subject of the issue
I need to update the secret key and is there a way to update it without logging out every user? I presume it's not possible to reuse the old token once my secret key is changed. So all my users will be logged off and need to log in again. Is there any way to go around this?
If not, if for security reason, I need to update the secret monthly, that will be pretty troublesome to ask my user to re-login monthly.
Your environment
Steps to reproduce
Tell us how to reproduce this issue.
Expected behaviour
Tell us what should happen
Actual behaviour
Tell us what happens instead