[prev in list] [next in list] [prev in thread] [next in thread]
List: esb-java-dev
Subject: [Dev] JWKS endpoint support for Key rotation
From: Inthirakumaaran Tharmakulasingham <inthirakumaaran () wso2 ! com>
Date: 2019-04-12 13:52:02
Message-ID: CAMC2_dd1_HsxdUKL+Zd7vGBjzkkzWGNNGucEcQJV4ieJ7Kj94w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi all,
Currently, we are working on a feature to support multiple JWKS in JWKS
endpoint to expose information about the old keys in the case of key
rotations
The current flow:
In order to rotate the key, the user has to create a new keystore with one
key and replace the current keystore. In the JWKS endpoint[2], parameters
of the new public key will be shown and users can generate a public key
from that to verify the signature in the tokens.
Main problem:
The user with token signed by old key pair won't be able to validate their
signature with the new key set available in the JWKS endpoint.
Expected flow:
When the user initiates the key rotation, the details of the old public key
along the new key will be shown in the JWKS endpoint for a grace period.
This feature will be supported for all the tenants and it will be an end to
end solution. The expiry time can be set by the tenant admins and after
that period the old key details will be removed from JWKS endpoint.
So far we have 2 suggestions to solve this problem
1. Add the public keys of old keypair into a DB and exposing them via JWKS
endpoint for certain time period. The public certs can be added and deleted
via the management console.
2. Make the existing keystore to support multiple key pairs and backup them
via a DB where details of each key will be securely stored. Like the
previous case, this DB can be managed by the management console. In this
approach, we will see the possibility of creating our own keystore rather
than using the Java Key Store(jks).
Please share your thought on this
Resources
[1] JWK: https://tools.ietf.org/html/rfc7517
[2] https://docs.wso2.com/display/IS570/JSON+Web+Key+Set+Endpoint
Thanks and Regards
kumaaran
--
*Inthirakumaaran*
Software Engineer | WSO2
E-mail:Inthirakumaaran@wso2.com
Mobile:+94775558050
Web:https://wso2.com
<http://wso2.com/signature>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi all,</div><div><br></div>Currently, we are working on a \
feature to support multiple JWKS in JWKS endpoint to expose information about the old \
keys in the case of key rotations<div><br></div><div>The current \
flow:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>In \
order to rotate the key, the user has to create a new keystore with one key and \
replace the current keystore. In the JWKS endpoint[2], parameters of the new public \
key will be shown and users can generate a public key from that to verify the \
signature in the tokens.</div></blockquote><div><br></div><div>Main problem: \
</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>The user \
with token signed by old key pair won't be able to validate their signature with \
the new key set available in the JWKS endpoint.</div></blockquote><blockquote \
style="margin:0 0 0 40px;border:none;padding:0px"><div><br></div></blockquote>Expected \
flow: <div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>When \
the user initiates the key rotation, the details of the old public key along the new \
key will be shown in the JWKS endpoint for a grace period. This feature will be \
supported for all the tenants and it will be an end to end solution. The expiry time \
can be set by the tenant admins and after that period the old key details will be \
removed from JWKS endpoint.</div></blockquote><div><br></div><div>So far we have 2 \
suggestions to solve this problem<br clear="all"><div><br></div><div>1. Add the \
public keys of old keypair into a DB and exposing them via JWKS endpoint for certain \
time period. The public certs can be added and deleted via the management console. \
</div><div>2. Make the existing keystore to support multiple key pairs and backup \
them via a DB where details of each key will be securely stored. Like the previous \
case, this DB can be managed by the management console. In this approach, we will see \
the possibility of creating our own keystore rather than using the Java Key \
Store(jks).</div><div><br></div><div>Please share your thought on \
this</div><div><br></div><div>Resources</div><div>[1] JWK: <a \
href="https://tools.ietf.org/html/rfc7517">https://tools.ietf.org/html/rfc7517</a></div><div>[2] \
<a href="https://docs.wso2.com/display/IS570/JSON+Web+Key+Set+Endpoint">https://docs.w \
so2.com/display/IS570/JSON+Web+Key+Set+Endpoint</a></div><div><br></div><div>Thanks \
and Regards</div><div>kumaaran</div><div><br></div>-- <br><div dir="ltr" \
class="m_-906283023878413461gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div><b>Inthirakumaaran</b></div><div>Software Engineer | \
WSO2</div><div><br></div><div>E-mail:<a href="mailto:Inthirakumaaran@wso2.com" \
target="_blank">Inthirakumaaran@wso2.com</a></div><div>Mobile:+94775558050</div><div>Web:<a \
href="https://wso2.com/" \
target="_blank">https://wso2.com</a></div></div><div><br></div><div><a \
href="http://wso2.com/signature" target="_blank"><img \
src="http://c.content.wso2.com/signatures/wso2-signature-general.png"></a><br></div><div><br></div><br></div></div></div></div></div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic