jwt icon indicating copy to clipboard operation
jwt copied to clipboard

Published 20 hours ago verified publisher icon golang-jwt

Replace HMAC with ED25519 in examples

Open G1gg1L3s opened this issue 1 year ago • 5 comments

While HMAC remains relatively popular in some contexts, it's generally considered as insecure, especially in untrustworthy environments, as it's easy for the verifier to forge the JWT token. OWASP, for example, recommends using signature algorithms instead of HMAC.

Since ED25519 is state-of-the-art among signature schemes, this PR adds it to the examples. This is to ensure that the examples are "secure by default". As a result, users have less chances of using weak algorithms when they blindly copy the examples.

Though, I didn't touch the hmac_example_test.go, so if user really need HMAC tokens, they can explicitly go the corresponding examples.

G1gg1L3s avatar Apr 22 '23 17:04 G1gg1L3s

Should we have both examples? If we're missing ed25519 examples then for sure we should add them, but given how prevalent HMAC is it seems worth keeping?

mfridman avatar May 15 '23 21:05 mfridman

The examples are a little bit of a mess since we have different ones in different files; I agree that we definitely want to have ones with priv/public key - maybe ECDSA as well. The question is also whether we really want to have them in the code repository anymore or on our documentation page, like here https://golang-jwt.github.io/jwt/usage/create/#with-additional-claims

oxisto avatar May 16 '23 06:05 oxisto

Should we have both examples? If we're missing ed25519 examples then for sure we should add them, but given how prevalent HMAC is it seems worth keeping?

Yes, this is exactly why I left the hmac_example_test.go untouched! Users can explicitly go for it if they really need. At the same time, the other examples provide algorithms more suitable for general use.

G1gg1L3s avatar May 20 '23 11:05 G1gg1L3s

The examples are a little bit of a mess since we have different ones in different files; I agree that we definitely want to have ones with priv/public key - maybe ECDSA as well. The question is also whether we really want to have them in the code repository anymore or on our documentation page, like here https://golang-jwt.github.io/jwt/usage/create/#with-additional-claims

I don't see problems having the examples here, considering also that they are runnable tests. But if you want, I would like to contribute to the examples on the https://golang-jwt.github.io!

G1gg1L3s avatar May 20 '23 11:05 G1gg1L3s

The examples are a little bit of a mess since we have different ones in different files; I agree that we definitely want to have ones with priv/public key - maybe ECDSA as well. The question is also whether we really want to have them in the code repository anymore or on our documentation page, like here https://golang-jwt.github.io/jwt/usage/create/#with-additional-claims

I don't see problems having the examples here, considering also that they are runnable tests. But if you want, I would like to contribute to the examples on the https://golang-jwt.github.io!

Sure! You can find the docs repo here: https://github.com/golang-jwt/jwt-docs

oxisto avatar May 20 '23 12:05 oxisto