| 35,6 → 35,10 |
|---|
| * If a private/public key pair exists: Sign the JWT using that private key. |
| * Otherwise sign it using PBKDF2+HMAC: |
| `JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret(["0be35e52-f4ef-11ed-b67e-3c4a92df8582"]), "", 10000, 64/*256bit*/, false))` |
| - The JWT additionally contains a member `oidplus_ssh = OIDplus::authUtils()->makeSecret(["bb1aebd6-fe6a-11ed-a553-3c4a92df8582"]` (SSH = Server Secret Hash) |
| with the sole purpose of allowing to invalidate all issued JWT by changing the server secret. |
| (This would be more secure than the Blacklist feature, since changing the server secret) |
| also invalidates JWT which might have been maliciously postdated). |
| - Session Handler (OIDplusSessionHandler.class.php): |
| Encryption of session contents (regular logins) |
| * if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac |