Changing Private Encryption Key of JWT Token

When authentication is executed on a mobile platform server, the JWT token of the API user or administrator is created. To increase transfer security of the data that identify a subject, a digital signature is applied for the JWT token with the use of the private encryption key.

Digital signature application algorithm:

Calculate the checksum calculated in a specified way based on the contents of passed JWT token.
Encrypt the checksum with private key.
Transfer the JWT token to mobile platform server with the encrypted checksum.
Get data and decrypt the checksum with the public key.
Calculate the checksum of the obtained JWT token.
Compare checksums calculated at Steps 4 and 5.

A digital signature with private encryption key enables the user to detect illegal changing of JWT token contents and prevent from illegal access to requested data. A checksum changes at each changing of JWT token.

If a fault-tolerant cluster based on OKD/OCP is used, the same private encryption key is used by default on mobile platform server or in cluster. If required, one can change the private encryption key.

To change the private encryption key of JWT token:

Execute one of the operations depending on whether a fault-tolerant cluster is used:

On the mobile platform server open the .env file and set a new generated private encryption key in the HH_SECRET_KEY variable.
In the cluster set a new generated private encryption key in the django.deployment.secretKey parameter:

--set django.deployment.secretKey=<private encryption key>

Restart mobile platform.

After executing the operations the private encryption key of JWT token will be changed, the current JWT tokens of subjects will be invalid. To create valid JWT tokens, repeat authentication.