Update django-oauth#1311 documentation to recommend using RS256 rather than HS256.

n2ygk · n2ygk · commit 685a7b00265c · 2024-05-13T11:12:49.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,7 +41,9 @@ These issues both result in `{"error": "invalid_client"}`:
   See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
 * #1273 Performance improvement: Add caching of loading of OIDC private key.
 * #1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
-* #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
+* #1311 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
+  [HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
+  This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
 * #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
diff --git a/docs/getting_started.rst b/docs/getting_started.rst
@@ -246,7 +246,12 @@ Point your browser to http://127.0.0.1:8000/o/applications/register/ lets create
 
 Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret``, we will use it in a minute.
 
-If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's.
+If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's with ``HS256``.
+
+.. note::
+    ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
+    Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
+
 
 .. image:: _images/application-register-auth-code.png
    :alt: Authorization code application registration
diff --git a/docs/oidc.rst b/docs/oidc.rst
@@ -149,8 +149,8 @@ scopes in your ``settings.py``::
     }
 
 .. note::
-    If you want to enable ``RS256`` at a later date, you can do so - just add
-    the private key as described above.
+    ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
+    Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
 
 
 RP-Initiated Logout

Original file line number	Diff line number	Diff line change
@@ -149,8 +149,8 @@ scopes in your ``settings.py``::
`149`	`149`	`}`
`150`	`150`
`151`	`151`	`.. note::`
`152`		- If you want to enable ``RS256`` at a later date, you can do so - just add
`153`		`- the private key as described above.`
	`152`	+ ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
	`153`	+ Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
`154`	`154`
`155`	`155`
`156`	`156`	`RP-Initiated Logout`