• r

    rp

    1 year ago
    So it is a little cumbersome, but you can do the following:- Switch off JWT signing key rotation: https://supertokens.io/docs/session/common-customizations/sessions/jwt-signing-key-rotation (set
    ACCESS_TOKEN_SIGNING_KEY_DYNAMIC
    to
    false
    )- Go to the database >
    key_value
    table > change the value of
    "access_token_signing_key"
    to public key;private key. For example, if the public key is "pubkey" and private key is "prikey", then the value in the db should be "pubkey;prikey". The way we generate public and private keys can be seen here: https://github.com/supertokens/supertokens-core/blob/master/src/main/java/io/supertokens/utils/Utils.java#L189
  • r

    rp

    1 year ago
    Note that this will enable you to set a global public key to verify the access token from the user. However, the access token's (not the same as an ID token) payload is not that of a standard JWT, so it also depends on what you want to do with the access token once it's signature is verified
  • repomaa

    repomaa

    1 year ago
    ah it's not?
  • repomaa

    repomaa

    1 year ago
    what does the payload look like?
  • repomaa

    repomaa

    1 year ago
    would be great if it would contain the userId
  • repomaa

    repomaa

    1 year ago
    what format is
    <public key>;<private key>
    pem? JWK?
  • r

    rp

    1 year ago
    The payload we have has the following:- `sessionHandle`: A constant ID per session. -
    userId
    - `refreshTokenHash1`: a reference to this token's refresh token - `parentRefreshTokenHash1`: a reference to the refresh token that was used to create this access token. - `userData`: Any JSON object that you wish to provide - `antiCsrfToken`: used to check if the incoming anti-csrf token is valid or not - `expiryTime`: in Milliseconds - `timeCreated`: in Milliseconds - `lmrt`: Used to check when the user had last manually authenticated
  • repomaa

    repomaa

    1 year ago
    well that's totally fine
  • repomaa

    repomaa

    1 year ago
    userData could contain roles or what not. Should be enough to do authorization based on the payload
  • r

    rp

    1 year ago
    what format is
    public key;private key pem? JWK? Yes .pem format, but without the
    -----BEGIN PUBLIC KEY-----
    and
    -----END PUBLIC KEY-----
    parts