dunglas
Binary secret
Hi,
When starting the server, the env var JWT_KEY, PUBLISHER_JWT_KEY and SUBSCRIBER_JWT_KEY contain the secret key used to verify the tokens.
The problem is that we cannot use a binary secret.
Is it possible to add an option to allow the use of encoded secret (hex, b64 or b64 url safe) instead of plaintext secret for these env vars?
EDIT: had a look to #82 and in fact it would be better to support JWK. Should wait for https://github.com/dgrijalva/jwt-go/issues/249
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
As far as I can tell, this was never implemented for HS256 keys?
Related:
- https://pkg.go.dev/github.com/golang-jwt/jwt/v5#SigningMethodHMAC.Sign
- https://pkg.go.dev/github.com/golang-jwt/jwt/v5#SigningMethodHMAC.Verify
- https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types
TL;DR: The API is designed to discourage misuse, but we misuse it anyway... 😆
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.