Lädt...


🔧 Supabase Auth Itroduces Asymmetric JWTs


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

Asymmetric JWTs in Q4 2024

In the beginning of October 2024 Supabase has announced the details on upcomming introduction of asymetric JWTs.

The news is that Supabse has decided to push back the launch from 7th October 2024 to Q4 2024 to roll this out meticulously; they want to perform exhaustive security checks and spend more time dogfooding internally.

Very simply speaking this is good old days public - private keys encription flow. Your one private key used in a backend and publicly shareable key to read.

Changes

To use asymetric JWTs in your Supabase project you will need to include these following changes:

  • Get an asymmetric key through the Supabase dashboard.
  • Include new public JWKs endpoint for retrieving the public JWK to verify JWTs. This will be exposed through the https://<project_ref>.supabase.co/auth/v1/.well-known/jwks.json endpoint. The symmetric secret will not be exposed through this endpoint for security reasons.
  • Use a new method called getClaims() , which handles verifying the JWT and returning the claims in it.
  • Use the public key in matter, you will be able to download the public keys in different formats through the dashboard (e.g. PEM, JWKs).
  • Ensure that you are using the new API keys (publishable key: sb_publishable_123abc and secret key: sb_secret_123abc instead of old anon key: eyJhbGciOiJIUzI1...FDsBGn0iqSmL28Zeg8f0 and service_role key: eyJhbGciOiJIUzI1...SEVEyZQNhffCoSj4P5A.
  • Update all your clients to use at least supabase-js version x.x.x (the version number will be updated closer to the release date) which will inroduce the new getClaims method.

getClaims() method

getClaims will be able to handle verifying both asymmetric JWTs as well as symmetric JWTs.

To use getClaims() to verify the JWT your code will probably look like this:

import { createClient } from 'supabase/supabase-js'

const supabase = createClient(SUPABASE_URL, SUPABASE_KEY)

// previously, using getUser() requires making an 
// additional network request to Supabase Auth to verify the JWT
// 
// const { data, error } = await supabase.auth.getUser()

// getClaims() will always return the JWT payload if the JWT is verified
// If it's an asymmetric JWT, getClaims() will verify using the JWKs endpoint.
// If it's a symmetric JWT, getClaims() calls getUser() to verify the JWT. 
const { data, error } = await supabase.auth.getClaims(jwks)

Calling getClaims() without passing in the JWKs will still require a network request to the /auth/v1/.well-known/jwks.json endpoint, however Supabase will be able to cache the JWKs in-memory so that subsequent calls to getClaims() don't have to make a request. getClaims() without argumentd will still require a network request. But getClaims(jwks) will avoid a network request.

Advantages

  • Usage of asymmetric key cryptography rather than a shared symmetric secret. Since asymmetric keys don’t use a shared secret, there is less risk of the secret being leaked.
  • Reducing extra network requests due to faster JWT verification times since there’s no need to make a network call to Supabase Auth via getUser().
  • Zero-downtime key rotation. Public keys can be exposed and any one of them may be used for verification.

Migration

New projects that are created after 1st May 2025 will be created with an RSA asymmetric key by default. Existing projects can choose to start using asymmetric keys as mentioned above.

...

🔧 Supabase Auth Itroduces Asymmetric JWTs


📈 110.08 Punkte
🔧 Programmierung

🔧 Setup User Auth for your Reflex Python app using supabase (supabase-py)


📈 41.8 Punkte
🔧 Programmierung

🔧 How to Quickly Add Auth to your Flutter Apps with Supabase Auth UI


📈 36.73 Punkte
🔧 Programmierung

🔧 Implementing Supabase Auth in Next13 with Prisma


📈 26.18 Punkte
🔧 Programmierung

🔧 Simple auth with Deno's Fresh + Supabase


📈 26.18 Punkte
🔧 Programmierung

🔧 Setting up Supabase Auth with Nuxt v3


📈 26.18 Punkte
🔧 Programmierung

🔧 How to add Supabase Auth to Astro


📈 26.18 Punkte
🔧 Programmierung

🔧 Supabase Auth: Bring-your-own Auth0, Cognito, or Firebase


📈 26.18 Punkte
🔧 Programmierung

🔧 Let's integrate auth.js with Supabase!


📈 26.18 Punkte
🔧 Programmierung

🔧 React Supabase Auth Template (With Protected Routes)


📈 26.18 Punkte
🔧 Programmierung

🔧 Next.js 14 SSO Github (Supabase Auth)


📈 26.18 Punkte
🔧 Programmierung

🔧 Supabase Auth now supports Anonymous Sign-ins


📈 26.18 Punkte
🔧 Programmierung

🔧 How to Set Up Authentication in Your Apps with Supabase Auth


📈 26.18 Punkte
🔧 Programmierung

🔧 Supabase SSR Auth


📈 26.18 Punkte
🔧 Programmierung

🔧 [Client] Auth with Next.js 14 & Supabase


📈 26.18 Punkte
🔧 Programmierung

🔧 How to Implement JSON Web Tokens (JWTs) in PHP – PHP Authentication Guide


📈 24.61 Punkte
🔧 Programmierung

🔧 How to Implement JSON Web Tokens (JWTs) in PHP – PHP Authentication Guide


📈 24.61 Punkte
🔧 Programmierung

🔧 A Practical Approach to Quantum-Resistant JWTs


📈 24.61 Punkte
🔧 Programmierung

🔧 DarkSky to WeatherKit: from API keys to signed JWTs


📈 24.61 Punkte
🔧 Programmierung

🔧 How JWTs Could Be Dangerous and Its Alternatives


📈 24.61 Punkte
🔧 Programmierung

🔧 JSON Web Tokens (JWTs): A Comprehensive Guide


📈 24.61 Punkte
🔧 Programmierung

🔧 LinkedIn Explains: How To Secure Your JWTs


📈 24.61 Punkte
🔧 Programmierung

🔧 Combining the benefits of session tokens and JWTs


📈 24.61 Punkte
🔧 Programmierung

🔧 Implement Authentication with Node.js using JWTs


📈 24.61 Punkte
🔧 Programmierung

🔧 JWTs Explained: Benefits and Drawbacks for Developers


📈 24.61 Punkte
🔧 Programmierung

🔧 When should I use JWTs?


📈 24.61 Punkte
🔧 Programmierung

🔧 A Guide to JWTs: Signing with RS256 Made Simple.


📈 24.61 Punkte
🔧 Programmierung

🔧 What's the Difference Between Session-Based Authentication and JWTs?


📈 24.61 Punkte
🔧 Programmierung

🔧 Authentication in React with JWTs, Access & Refresh Tokens


📈 24.61 Punkte
🔧 Programmierung

🔧 Microservice Security with CSRF Tokens and JWTs


📈 24.61 Punkte
🔧 Programmierung

🕵️ Moodle up to 2.6.11/2.7.10/2.8.8/2.9.2 DB Profile auth/db/auth.php cross site scripting


📈 21.1 Punkte
🕵️ Sicherheitslücken

📰 LastPass now supports 2FA auth, completely undermines 2FA auth


📈 21.1 Punkte
📰 IT Security Nachrichten

🕵️ Bugtraq: [CVE-2016-6582] Doorkeeper gem does not revoke tokens & uses wrong auth/auth method


📈 21.1 Punkte
🕵️ Sicherheitslücken

🕵️ Moodle bis 2.6.11/2.7.10/2.8.8/2.9.2 DB Profile Handler auth/db/auth.php Cross Site Scripting


📈 21.1 Punkte
🕵️ Sicherheitslücken

matomo