Is anyone here already rotating the JWT Secret? #166
Unanswered
jansgescheit
asked this question in
Q&A
Replies: 1 comment 1 reply
-
|
Yes! In my case I use 60 min ttl and following code to refresh the token: // Controller
/**
* Refreshes a JWT (ie. extends it's TTL)
*/
public function refresh(): Response
{
return $this->respondWithToken($this->guard->refresh());
}// api.php
Route::middleware('jwt.check')
->post('refresh', [AuthController::class, 'refresh'])->name('token.refresh');But yes, it doesn't solve the problem if the old jwt has been obtained by 3rd-party Having separate auth and refresh token was previously discussed and was considered as one of future features |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@leon0399 you're just describing updating an expired user token, right? I want to regularly rotate the |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Is anyone here already rotating the JWT Secret?
If so, how do you go about it? In the best case, so that the user does not have to log in again when the key was rotated.
I have imagined that in the token refresh a token with a new signature is delivered. This assumes of course that the token decoder knows the old and new secret. Which can be problematic with a compromised old secret.
Beta Was this translation helpful? Give feedback.
All reactions