-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple keys support in the jwks_uri url #101
Comments
@janz93 thanks for raising this issue!
|
@toupeira thank you for your response. Regarding the second point. I think since both gems are doing their own JWT setup a solution can not be found here in this issue. For the first point if possible I would like to take on this enhancement and create a PR with a possible solution for it. |
@janz93 Sure that would be awesome! The only thing you have to watch out for is to still support a non-array value in existing configurations.
Yeah I guess there would be ways to do it, but not very cleanly 😉 |
@janz93 We got around this by using the same key pair for doorkeeper-jwt as we did for doorkeeper-open_id_connect. If you are including a With that said, we would like to be able to rotate the keys that are used to sign the jwt access token / id token and be able to have the |
For those curious, the following worked for me: token_headers do |opts|
key = OpenSSL::PKey.read File.read('<private_key>.pem')
{ kid: JSON::JWK.new(key)[:kid] }
end |
I am interested in support for multiple keys so that I can roll them without causing issues for active access tokens. I could put together a proposal here / file PRs for support if people are interested. |
First of all thank you 😃 for all the work that has been put into this project.
It helped me a lot to go get my app running without me needing to understand the specs in detail. 👍 🙏
Background
In the process of switching the access token to a JWT token, I used the
doorkeeper-jwt
gem as described in the doorkeeper guide and followed their instructionsI generated a new keypair and passed the information onto the
secret_key
method ofdoorkeeper-jwt
.Problem
I expected that the new keypair information to be displayed in the
jwks_uri
from the.well-known/openid-configuration
I discovered that only the one key defined in the
doorkeeper-openid_connect
configuration will be displayed in the jwks_uri URLQuestion
Would it be possible to have a configuration where multiple keys are support?
Multiple OAuth providers (AWS Cognito or 0Auth) use this principle.
As this allows for a lot of flexibility in for example deprecating keypairs slowly
Additionally building on top of the assumption to have multiple key support. How could you get access to the keypair defined in the
doorkeeper-jwt
configuration? (Maybe this should be placed as a separate issue and maybe here is also not the right place but either thedoorkeeper-jwt
ordoorkeeper
if that is the case please let me in the comments)ps. I hope this issue is as expect other also let me know and I'll adjust it accordantly
The text was updated successfully, but these errors were encountered: