Update jazzband#1311 documentation to recommend using RS256 rather th…

…an HS256.
n2ygk · May 13, 2024 · 685a7b0 · 685a7b0
1 parent c7caea1
commit 685a7b0
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,7 +41,9 @@ These issues both result in `{"error": "invalid_client"}`:
   See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
 * #1273 Performance improvement: Add caching of loading of OIDC private key.
 * #1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
-* #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
+* #1311 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
+  [HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
+  This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
 * #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)

diff --git a/docs/getting_started.rst b/docs/getting_started.rst
@@ -246,7 +246,12 @@ Point your browser to http://127.0.0.1:8000/o/applications/register/ lets create
 
 Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret``, we will use it in a minute.
 
-If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's.
+If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's with ``HS256``.
+
+.. note::
+    ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
+    Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
+
 
 .. image:: _images/application-register-auth-code.png
    :alt: Authorization code application registration

diff --git a/docs/oidc.rst b/docs/oidc.rst
@@ -149,8 +149,8 @@ scopes in your ``settings.py``::
     }
 
 .. note::
-    If you want to enable ``RS256`` at a later date, you can do so - just add
-    the private key as described above.
+    ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
+    Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
 
 
 RP-Initiated Logout