Azure KeyVault for signing sample #38

leastprivilege · 2022-01-19T08:43:49Z

amadard · 2022-04-22T21:45:43Z

I have looked into how to use the KeyVault for signing tokens and I ran into a couple items:

KeyVault has a 2000 request per 10 second hard limit. My thought was to build a solution that allowed multiple KeyVaults to be hooked up to scale past the rate limit when approaching that request rate. It would require retrieving the public key from all connected KeyVaults.
https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-throttling
All of the examples I found for using the KeyVault to sign tokens were based on the premise of only one signing algorithm, and that created potential difficulties if specific certificates were used for specific algorithms. There needs to be one implementation of ISigningCredentialStore per signing algorithm, and the DefaultTokenCreationService needs to know the correct certificate URL to use based on the requested signing algorithm.

leastprivilege self-assigned this Jan 19, 2022

leastprivilege added the sample request label Jan 19, 2022

leastprivilege removed their assignment Dec 22, 2022

brockallen added this to the Future milestone Jan 23, 2024

Provide feedback