Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support signing and encryption key rotation #10

Open
tekul opened this issue Feb 21, 2015 · 0 comments
Open

Support signing and encryption key rotation #10

tekul opened this issue Feb 21, 2015 · 0 comments
Labels
feature

Comments

@tekul
Copy link
Owner

tekul commented Feb 21, 2015

The OP needs to be able to manage keys as defined in

http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys

  • Configure a lifetime for key(s) and a grace period within which old keys are valid
  • Set a cache-control header on the jwks endpoint, based on the lifetime
  • Retain old keys internally for the grace period

An RP implementation should be able to use the same code
@tekul tekul added the feature label Feb 21, 2015
@tekul tekul changed the title Support singing and encryption key rotation Support signing and encryption key rotation Feb 21, 2015
tekul added a commit that referenced this issue May 6, 2015
@tekul
Refactor key and token handling
49bd10d 
Lays the ground for key rotation (see #10). Removes hard coding of JWT
access and refresh tokens and stores the keys in MVars in the in-memory
configuration.
tekul added a commit that referenced this issue May 23, 2015
@tekul
Introduce KeyRing data type and key rotation (#10)
267c744 
Acts as a store for the keys for the server's different use cases.
A KeyStore is initialised separately and then used when building the
configuration. A default option is provided which loads the keys from
a standard file or generates new keys if the file is not found.

Key rotation is also implemented via a function on the keyring, as well
as dealing with expired keys which are outside the grace period. It relies
on the ordering of the keys, for example, the current signing key will
be the first one found in the list of all keys. If there aren't enough
active keys available to perform singing and encryption, an automatic
key rotation will be performed on startup.

There's currently no way to actually perform a key rotation in a running
server. It would have to be triggered through an admin API, for example.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tekul