Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Key History #505

Open
nynymike opened this issue Apr 19, 2017 · 0 comments

Comments

@nynymike
Copy link
Contributor

commented Apr 19, 2017

How would an old signature be validated after key rotation happens? While the private key can be disposed of, we need to keep a history of the public keys. It would be best if this information was stored in LDAP, something like this:

dn: id=d07668b9d367,ou=keyhistory,o=(org-inum),o=gluu
objectclass: top
objectclass: oxKeyHistoryEntry
oxAuthConfWebKeys: {keyInfo}
oxAuthCreation: 20170129120000.0Z
oxAuthExpiration: 20170131120000.0Z
oxAuthKeyType: tls 
oxAuthIssuer:  https://idp.example.com

Note: oxAuthKeyType could have values either tls (normal key used for jwks_uri) or signing (used for OpenID Federation).

@nynymike nynymike added this to the CE 3.1.0 milestone Apr 19, 2017

@nynymike nynymike modified the milestones: CE 3.2.0, CE 3.1.0 Jun 26, 2017

@yurem yurem modified the milestones: 4.0, 4.1 Mar 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.