LexikJWTAuthenticationBundle icon indicating copy to clipboard operation
LexikJWTAuthenticationBundle copied to clipboard

Published 20 hours ago verified publisher icon lexik

Configure a different key pair per firewall guard

Open jolleychris opened this issue 7 years ago • 8 comments

Hi Thank you for this excellent bundle! I would like to use a different .pem key pair for each firewall authenticator. It seems that this is not trivial, or at least, I can not see what changes I would need to make to the bundle in order to achieve this. Is there a means to do it, or how could it best be approached?

At a high level, with changes to the extension config and loader I could read an array of key paths , or multiple key directory params. But, I'm struggling to see how I could potentially then make use of that, and how I could pass that as a parameter in the firewall config.

Can anybody suggest an approach to this, and where i should be looking?

firewalls:        
        api:
            pattern:   ^/api
            stateless: true
            provider: myprovider1
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator        
        other_api:
            pattern:   ^/api2
            stateless: true
            provider: myprovider2
            guard:
                authenticators:
                    #new authenticator supporting other keys?
                    - lexik_jwt_authentication.jwt_token_authenticator2

jolleychris avatar Aug 18 '17 14:08 jolleychris

Hey @jolleychris,

I'm pleased to read that, thanks for using this bundle. That's an interesting use case, which is not supported at all currently since the guard authenticator is not aware of the key pair, it is only aware of the encoder which itself is keypair bound.

Right now, achieving this on your side would require to write some PHP code, not doable through config. Since I see several ways, I'll give it a try on my side and come back with some code asap this week.

chalasr avatar Aug 23 '17 11:08 chalasr

That's a really positive reply! Thank you so much! I started picking through the encoder and reached the same conclusion, but need to sit down again with it and work out what I could do instead. I'm looking forwards to seeing what someone more 'in the know' can do though. Happy to explain my use case in more detail too if you're intrigued. It has to do with working with two entirely disparate sources of users, accessing different layers of an API, and the need to ensure that a token for one is not exchangeable for a token for the other. Probably sounds stranger than it is in reality!

jolleychris avatar Aug 23 '17 15:08 jolleychris

I would also be interested in this. My use case is exactly the same as @jolleychris', I have two entirely different types of users accessing different parts of the application, and the token for one part should not be valid for the other part.

norbert-yoimo avatar Sep 19 '17 09:09 norbert-yoimo

Sorry for the delay. I'm going to work on this part in the coming days, this can't be achieved without rewriting a lot right now.

chalasr avatar Sep 19 '17 09:09 chalasr

No problem, don't worry about it :)

norbert-yoimo avatar Sep 19 '17 10:09 norbert-yoimo

Hi @chalasr. I see this feature was never implemented. Am I right? Our use case is the same, we need different key pairs for different firewalls. You commented you saw different ways to implement it. Could you expand this a little? Maybe we would go forward and try doing it. Thanks and good work!

sdepablos avatar Jul 23 '19 11:07 sdepablos

I'm also interested about your suggestions!

AntoineLemaire avatar Sep 26 '19 15:09 AntoineLemaire

Did anyone ever progress this? If you can give me a general approach, I'd have a go myself now I am several years of experience more familiar with the bundle, symfony, and jet

jolleychris avatar Jan 10 '20 02:01 jolleychris