Is it possible to use RS256 in JWT ?

[MihaiBeigar]

I got an ticket from security we should switch to at least RS256 with private / public key pair.
Tried reading all related files and found play.api.http.JWTConfiguration but it seems it defaults to HS256 and has no parameters to accept the key pair.

So the question is does play framework have support for anything else than HS for JWT ?

[will-sargent-eero]

You mean like https://github.com/franzgranlund/play-java-jwt or do you want to swap out the session cookie baker?

[MihaiBeigar]

I was looking for a builtin configuration for the session cookie:

Something like:

jwt {
signatureAlgorithm = "RS256"
expiresAfter = ${play.http.session.maxAge}
clockSkew = 5 minutes
dataClaim = "data"

# PrivateKey or CertPath.
privateKey= "yyyyyyyyyyyyyyyyy"

# PublicKey or CertPath.
privateKey= "xxxxxxxxxxxxxxxxxxxx"
}

I would understand if something like this doesn't exist, so if you want to give me some hints on swapping out the cookie baker I would appreciate it.

[wsargent]

The default session cookie baker is here:

https://github.com/playframework/playframework/blob/main/core/play/src/main/scala/play/api/mvc/Session.scala#L120

and then the CookiesModule binds that:

https://github.com/playframework/playframework/blob/main/core/play/src/main/scala/play/api/mvc/Cookie.scala#L844

So you can override the binding to SessionCookieBaker to use something other than the DefaultSessionCookieBaker with your own module and implementation, so like https://www.playframework.com/documentation/2.8.x/SettingsSession#URL-Encoded-Cookie-Encoding only with your own module instead.

play.modules.disabled+="play.api.mvc.CookiesModule"
play.modules.enabled+="com.mycompany.MyCookieModule"

If you start off just copying the existing code and set up the session cookie baker with printlns/log.debug statements then you can see what's happening and start tweaking the code from there.

[mkurz]

@MihaiBeigar did you create your own session cookie baker finally? If so, it might make sense to have this working out of the box in Play itself so other users can benefit from such a feature as well. Do you want to provide a pull request to support private/public keys for RS256?

[MihaiBeigar]

Hey @mkurz ! I'm sorry to tell you this is still in the backlog and unfortunately it doesn't look like it's going to come out anytime soon. Anyway if we finally get to develop this feature it would be a pleasure to provide a pull request.