JSON Web Tokens Minimum Length Increase (PAR 69953)
The length requirements for the secret strings used to encode and validate JSON Web Tokens have been updated to match the JSON Web Algorithms standard (https://datatracker.ietf.org/doc/html/rfc7518#section-3.2).
If your secret string is too short, this change could cause your REST web service authentication to fail. To avoid this, you must regenerate the JSON Web Tokens with a new stricter secret length; that is:
-
256‑bit secret for the HS256 algorithm
-
384-bit secret for the HS384 algorithm
-
512‑bit secret for the HS512 algorithm
The following table lists the JadeJsonWebToken class methods that have been updated with a longer minimum length for the secret string.
| method | New Minimum Length (characters) | Old Minimum Length (characters) |
|---|---|---|
|
encodeHS256 |
32 | 16 |
| encodeHS384 | 48 | 16 |
| encodeHS512 | 64 | 16 |
In addition, the JadeJsonWebToken class Error_SecretTooShort and MinSecretLength constants have been deprecated as each method now has a specific minimum length.
