You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using nextauth for signing in with my Authentik server, I get a HS256 encoded JWT back from it which can thus only be decoded with the OAuth client_secret. Note that I am not talking about the nextauth session token, but the OAuth session token.
I have a second backend that I also send my session cookies to and in which I want to be able to verify authenticity of the incoming requests. Since I don't want to share the client_secret with the other backend for security reasons, it would be much nicer to have RS256 encoded Authentik session cookies that I can easily verify using the JWK provided by Authentik. I am wondering if it is a deliberate decision by next-auth to only use HS256 encoded JWTs from OAuth providers and if I can configure it to use RS256.
TLDR
next-auth requests HS256 encoded tokens from my OAuth 2.0 Provider (Authentik). Can I configure it to use RS256 so I can decode (i.e. validate) using a public key?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
My Situation
When using nextauth for signing in with my Authentik server, I get a HS256 encoded JWT back from it which can thus only be decoded with the OAuth
client_secret. Note that I am not talking about the nextauth session token, but the OAuth session token.I have a second backend that I also send my session cookies to and in which I want to be able to verify authenticity of the incoming requests. Since I don't want to share the
client_secretwith the other backend for security reasons, it would be much nicer to have RS256 encoded Authentik session cookies that I can easily verify using the JWK provided by Authentik. I am wondering if it is a deliberate decision by next-auth to only use HS256 encoded JWTs from OAuth providers and if I can configure it to use RS256.TLDR
next-auth requests HS256 encoded tokens from my OAuth 2.0 Provider (Authentik). Can I configure it to use RS256 so I can decode (i.e. validate) using a public key?
Beta Was this translation helpful? Give feedback.
All reactions