You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently flat-manager only uses the repo secret to verify the JWT used for authenticated requests. The token itself is created by the authorization server. It would be better if flat-manager did not require a secret for validation then since it just increases the risk that the secret could be leaked.
Since JWT supports public key signatures such as RSA and EDCSA, it would be nice if flat-manager supported verification with public keys rather then HMAC secrets. Then the private key could just live with the authorization server. Since jsonwebtoken supports many algorithms, this shouldn't be too hard to add.
The text was updated successfully, but these errors were encountered:
Currently flat-manager only uses the repo secret to verify the JWT used for authenticated requests. The token itself is created by the authorization server. It would be better if flat-manager did not require a secret for validation then since it just increases the risk that the secret could be leaked.
Since JWT supports public key signatures such as RSA and EDCSA, it would be nice if flat-manager supported verification with public keys rather then HMAC secrets. Then the private key could just live with the authorization server. Since jsonwebtoken supports many algorithms, this shouldn't be too hard to add.
The text was updated successfully, but these errors were encountered: