That alone pretty much tells you why RS256 is overwhelmingly the better choice for most situations.Ĭonfidential vs Public Clients - you should only even consider HS256 if your Client is considered a Confidential Client. Auth0 has switched to using RS256 by default for new Clients, and its Resource APIs also default to RS256.Ī major benefit of RS256, which trumps most arguments for choosing HS256, is simply that there is no need to store (co-locate) secrets with the Client application - the private key is only known by the Authorization Server (Auth0 etc), and the secret cannot be leaked. See this answer and feel free to leave comments there (Auth0 Community website) if still not convinced. That said most good JWKS libraries / sdks will handle caching options out of the box.īut really the question you should be asking is whether these benefits (performance optimization?) outweigh the disadvantages - certainly from a Security perspective. Caching public certs etc aside (for caching example using node.js see here and here), having a symmetric key and using that locally at the application without the need for any network request at all etc, may prove more efficient. Performance - Yes, here HS256 potentially has a niche. See some Auth0 examples using your technology choice to get an understanding on this if unfamiliar. However, today's libraries make RS256 simple too to setup - the library / framework will often offer the functionality to retrieve the public key and do the verification with similar configuration to HS256 but without the need to supply a secret. Perceived convenience / understand what to do - It is true that copying a clientId, and clientSecret into configuration on the application is both easy to understand, and quick accomplish. To Oauth2 / OIDC (related to perceived convenience) easy to understand and get started with if new.You have asked for benefits of HS256 over RS256 eg.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |