Rotate JWT secret

[pontusbredin]

I'm wondering if there's a way to implement rotating JWT secrets for MARS? Today a single secret is stored in the ini-file per API node (or parameter). Is there a way to override some class so that I can implement this. If so point me in the right direction. I'd be glad to contribute as well.

The main reason is that if you like to keep your JWT's secure you have to change the secret quite often. The absolute best way would be to generate a new secret everytime a new token is created. But that demands that the validation of the tokens are done with the correct secret. To solve this I suggest that there could be a value in the token payload like "secret_id":""

Let's say the server keeps a list of all current used secrets:
secret_id:1654984 => 4T32CvvSIQ%hijItZp4HX@UkD7WVbnlP
secret_id:9843131 => KHEXj4#DfvJjorx%u*q7JN!@8i0eCaWL
...
The server decodes the token, that should be validated, and finds the record secret_id. It then looks up the correct secret from the list.

There need to be some house keeping to remove old secrets from the list. The list could also be stored in a file so that you can restart your server at any time without loosing clients.

Best regards,
/Pontus