Menu
I am using Guardian to realize JWT Authentication with an Elixir / Phoenix app. I'm using the HS512 algorithm. And I need a key for that. Are there any conditions for this key except that it has to be 512 bits or longer? It can be any arbitrary string, right?
942
The algorithm ( HS256) used to sign the JWT means that the secret is a symmetric key that is known by both the sender and the receiver. It is negotiated and distributed out of band. Hence, if you're the intended recipient of the token, the sender should have provided you with the secret out of band.
JWT uses cryptographic keys to generate signatures. It's possible to use one of either a symmetric key or an asymmetric key. There are various factors one should consider when choosing one of these two approaches but that's a discussion for another article. With a symmetric key, a single key is used to sign and validate the signature.
to generate the secretBytes from. When you send the JWT to the server, he probably tries to validate the JWT. This includes verifying the signature that is part of the JWT. For this, the server needs to know the shared secret random_secret_key so he can generate the same secreteBytes from them.
HMAC stands for hash-based message authentication code and is cryptographic hash function. It is used to simultaneously verify both the data integrity and the authenticity of a token. To create JWT token signed with HMAC shared secret, we need to specify signature using .signWith () method.
openssl rand -base64 172 | tr -d '\n'
OpenSSL generates a secret of 129 bytes ((172 * 6) / 8). 129 bytes is good for HS512 (see https://github.com/ueberauth/guardian/issues/152).
tr removes newlines.
187
In case anyone visits this now: Guardian added a mix task for that.
mix guardian.gen.secret
https://hexdocs.pm/guardian/Mix.Tasks.Guardian.Gen.Secret.html#content
38
The signing key is a byte array of any value or length you wish. Most JWT libraries allow you to use any string as key, which is converted to byte array.
To generate a secure 20 byte key, bs64 encoded
dd if=/dev/random bs=20 count=1 status=none | base64
You need to run this command on a Linux machine with OpenSSL library installed:
echo -n "somevalue" | openssl sha512 -hmac "somekey"
The output of this command is the HS512 (HMAC SHA512) which you can use as the signing key with any JWT library.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
