oauth2-server icon indicating copy to clipboard operation
oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon thephpleague

Public Key vs Encryption Key

Open linuxd3v opened this issue 7 years ago • 2 comments

So I'm extremely confused about what I should use when instantiating AuthorizationServer object.

So the documentation directs people to generate public and private keys and then literally says:

The authorization server also requires the public key.

But then this commit removes the public key from the AuthorizationServer code:
76c2b6f88cccaa07f9eceaab42e0306dd839cacb

So which is it?
Why was public key replaced with encryption key?
If public key is not being used for AuthorizationServer - then where is it being used?

linuxd3v avatar Jun 19 '18 15:06 linuxd3v

It does look like the documentation needs updating. The code works as follows:

  • The Auth server uses the private key to sign payloads
  • The Resource server uses the public key to verify the signed payloads

These are typically JWTs.

The encryption key is either a string or a Key instance from the Defuse/Crypto library. It is used to encrypt the authorisation code or refresh code.

I'm unclear as to the motivations for the original change but a discussion about it can be found in this issue.

I hope that answers your question. I will modify this issue so that we can keep track and update the documentation to make it clearer. Thanks for reporting this.

Sephster avatar Jun 22 '18 12:06 Sephster

Reopening as I want to track the documentation issue so we can resolve and then close.

Sephster avatar Jun 30 '18 10:06 Sephster