Hi all, Currently, we are working on a feature to support multiple JWKS in JWKS endpoint to expose information about the old keys in the case of key rotations
The current flow: In order to rotate the key, the user has to create a new keystore with one key and replace the current keystore. In the JWKS endpoint[2], parameters of the new public key will be shown and users can generate a public key from that to verify the signature in the tokens. Main problem: The user with token signed by old key pair won't be able to validate their signature with the new key set available in the JWKS endpoint. Expected flow: When the user initiates the key rotation, the details of the old public key along the new key will be shown in the JWKS endpoint for a grace period. This feature will be supported for all the tenants and it will be an end to end solution. The expiry time can be set by the tenant admins and after that period the old key details will be removed from JWKS endpoint. So far we have 2 suggestions to solve this problem 1. Add the public keys of old keypair into a DB and exposing them via JWKS endpoint for certain time period. The public certs can be added and deleted via the management console. 2. Make the existing keystore to support multiple key pairs and backup them via a DB where details of each key will be securely stored. Like the previous case, this DB can be managed by the management console. In this approach, we will see the possibility of creating our own keystore rather than using the Java Key Store(jks). Please share your thought on this Resources [1] JWK: https://tools.ietf.org/html/rfc7517 [2] https://docs.wso2.com/display/IS570/JSON+Web+Key+Set+Endpoint Thanks and Regards kumaaran -- *Inthirakumaaran* Software Engineer | WSO2 E-mail:[email protected] Mobile:+94775558050 Web:https://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
