WebSVN – oidplus – Diff – /trunk/doc/developer_notes/server_secret.md

 - Auth content Store (OIDplusAuthContentStoreJWT.class.php):
   Key to sign JWT tokens (used for Automated AJAX requests, REST API and logins with "Remember me")
   * If a private/public key pair exists: Sign the JWT using that private key.
   * Otherwise sign it using PBKDF2+HMAC:
     `JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret(["0be35e52-f4ef-11ed-b67e-3c4a92df8582"]), "", 10000, 64/*256bit*/, false))`
+- The JWT additionally contains a member `oidplus_ssh = OIDplus::authUtils()->makeSecret(["bb1aebd6-fe6a-11ed-a553-3c4a92df8582"]` (SSH = Server Secret Hash)
+  with the sole purpose of allowing to invalidate all issued JWT by changing the server secret.
+  (This would be more secure than the Blacklist feature, since changing the server secret)
+  also invalidates JWT which might have been maliciously postdated).
 - Session Handler (OIDplusSessionHandler.class.php):
   Encryption of session contents (regular logins)
   * if OpenSSL is installed:        sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac
   * if OpenSSL is not installed:    sha3-512-hmac
   * In both cases, the key is `OIDplus::authUtils()->makeSecret(["b118abc8-f4ec-11ed-86ca-3c4a92df8582"])`.

Subversion Repositories oidplus