Changing Private Encryption Key of JWT Token

When authentication is executed on a mobile platform server, the JWT token of the API user or administrator is created. To increase transfer security of the data that identify a subject, a digital signature is applied for the JWT token with the use of the private encryption key.

Digital signature application algorithm:

  1. Calculate the checksum calculated in a specified way based on the contents of passed JWT token.

  2. Encrypt the checksum with private key.

  3. Transfer the JWT token to mobile platform server with the encrypted checksum.

  4. Get data and decrypt the checksum with the public key.

  5. Calculate the checksum of the obtained JWT token.

  6. Compare checksums calculated at Steps 4 and 5.

A digital signature with private encryption key enables the user to detect illegal changing of JWT token contents and prevent from illegal access to requested data. A checksum changes at each changing of JWT token.

By default, mobile platform server or the cluster deployed based on Kubernetes, Deckhouse or OKD/OCP applies the same private encryption key. If required, one can change the private encryption key.

To change the private encryption key of JWT token:

  1. Execute one of the operations depending on whether a fault-tolerant cluster is used:

--set django.deployment.secretKey=<private encryption key>

  1. Restart mobile platform.

After executing the operations the private encryption key of JWT token will be changed, the current JWT tokens of subjects will be invalid. To create valid JWT tokens, repeat authentication.

See also:

Knowledge Base