Rev 1283 | Rev 1305 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1283 | Rev 1298 | ||
---|---|---|---|
Line 33... | Line 33... | ||
33 | - Auth content Store (OIDplusAuthContentStoreJWT.class.php): |
33 | - Auth content Store (OIDplusAuthContentStoreJWT.class.php): |
34 | Key to sign JWT tokens (used for Automated AJAX requests, REST API and logins with "Remember me") |
34 | Key to sign JWT tokens (used for Automated AJAX requests, REST API and logins with "Remember me") |
35 | * If a private/public key pair exists: Sign the JWT using that private key. |
35 | * If a private/public key pair exists: Sign the JWT using that private key. |
36 | * Otherwise sign it using PBKDF2+HMAC: |
36 | * Otherwise sign it using PBKDF2+HMAC: |
37 | `JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret(["0be35e52-f4ef-11ed-b67e-3c4a92df8582"]), "", 10000, 64/*256bit*/, false))` |
37 | `JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret(["0be35e52-f4ef-11ed-b67e-3c4a92df8582"]), "", 10000, 64/*256bit*/, false))` |
- | 38 | - The JWT additionally contains a member `oidplus_ssh = OIDplus::authUtils()->makeSecret(["bb1aebd6-fe6a-11ed-a553-3c4a92df8582"]` (SSH = Server Secret Hash) |
|
- | 39 | with the sole purpose of allowing to invalidate all issued JWT by changing the server secret. |
|
- | 40 | (This would be more secure than the Blacklist feature, since changing the server secret) |
|
- | 41 | also invalidates JWT which might have been maliciously postdated). |
|
38 | - Session Handler (OIDplusSessionHandler.class.php): |
42 | - Session Handler (OIDplusSessionHandler.class.php): |
39 | Encryption of session contents (regular logins) |
43 | Encryption of session contents (regular logins) |
40 | * if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac |
44 | * if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac |
41 | * if OpenSSL is not installed: sha3-512-hmac |
45 | * if OpenSSL is not installed: sha3-512-hmac |
42 | * In both cases, the key is `OIDplus::authUtils()->makeSecret(["b118abc8-f4ec-11ed-86ca-3c4a92df8582"])`. |
46 | * In both cases, the key is `OIDplus::authUtils()->makeSecret(["b118abc8-f4ec-11ed-86ca-3c4a92df8582"])`. |