Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(jans-auth-server): archived jwks (#6503)
* feat(jans-auth-server): archive rotated keys and make them available via endpoint #6437 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added /jwks/archived to swagger #6437 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added jwk archive on key rotation #6437 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added tests for archived jwk and clean up support #6437 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> --------- Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> Signed-off-by: Mustafa Baser <mbaser@mail.com>
- Loading branch information
1 parent
4436d90
commit 6590691
Showing
27 changed files
with
699 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
tags: | ||
- administration | ||
- auth-server | ||
- jwks | ||
- json-web-key-set | ||
- endpoint | ||
--- | ||
|
||
# Overview | ||
|
||
Janssen Server supports `/jwks/archived/{kid}` metadata endpoint and publishes its Archived JSON Web Keys (JWKs) at this endpoint. This | ||
endpoint publishes expired signing keys as well as expired encryption keys used by Janssen Server. RP can use these keys to validate | ||
signatures from Janssen Server, and also to perform encryption and decryption if keys are no longer present in `/jwks` endpoint. | ||
Like other metadata endpoints, this is not a secure endpoint. | ||
|
||
URL to access archived jwks endpoint on Janssen Server is listed in the response of Janssen Server's well-known | ||
[configuration endpoint](./configuration.md) given below. | ||
|
||
```text | ||
https://janssen.server.host/jans-auth/.well-known/openid-configuration | ||
``` | ||
|
||
`archived_jwks_uri` claim in the response specifies the URL for archived jwks endpoint. By default, the archived jwks endpoint looks like below: | ||
|
||
``` | ||
https://janssen.server.host/jans-auth/restv1/jwks/archived/{kid} | ||
``` | ||
|
||
This endpoint is always enabled and can not be disabled using feature flags. | ||
|
||
## Configuration Properties | ||
|
||
Archived JWKs endpoint can be further configured using Janssen Server configuration properties listed below. When using | ||
[Janssen Text-based UI(TUI)](../../config-guide/config-tools/jans-tui/README.md) to configure the properties, | ||
navigate via `Auth Server`->`Properties`. | ||
|
||
- [archivedJwksUri](../../reference/json/properties/janssenauthserver-properties.md#archivedjwksuri) | ||
- [archivedJwkLifetimeInSeconds](../../reference/json/properties/janssenauthserver-properties.md#archivedjwklifetimeinseconds) | ||
|
||
If `archivedJwkLifetimeInSeconds` is not set then AS falls back to one year expiration. After archived jwk lifetime is passed, jwk is removed from archive. | ||
|
||
## Want to contribute? | ||
|
||
If you have content you'd like to contribute to this page in the meantime, you can get started with our [Contribution guide](https://docs.jans.io/head/CONTRIBUTING/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 99 additions & 0 deletions
99
jans-auth-server/common/src/main/java/io/jans/as/common/model/common/ArchivedJwk.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
package io.jans.as.common.model.common; | ||
|
||
import io.jans.orm.annotation.*; | ||
import io.jans.orm.model.base.DeletableEntity; | ||
import org.json.JSONObject; | ||
|
||
import java.io.Serializable; | ||
import java.util.Date; | ||
|
||
/** | ||
* @author Yuriy Z | ||
*/ | ||
@DataEntry | ||
@ObjectClass(value = "jansArchJwk") | ||
public class ArchivedJwk extends DeletableEntity implements Serializable { | ||
|
||
@DN | ||
private String dn; | ||
|
||
@AttributeName(name = "jansId") | ||
private String id; | ||
|
||
@AttributeName(name = "creationDate") | ||
private Date creationDate = new Date(); | ||
|
||
@JsonObject | ||
@AttributeName(name = "jansData") | ||
private JSONObject data; | ||
|
||
@AttributeName(name = "attr") | ||
@JsonObject | ||
private ArchivedKeyAttributes attributes; | ||
|
||
@Expiration | ||
private int ttl; | ||
|
||
@Override | ||
public String getDn() { | ||
return dn; | ||
} | ||
|
||
@Override | ||
public void setDn(String dn) { | ||
this.dn = dn; | ||
} | ||
|
||
public String getId() { | ||
return id; | ||
} | ||
|
||
public void setId(String id) { | ||
this.id = id; | ||
} | ||
|
||
public Date getCreationDate() { | ||
return creationDate; | ||
} | ||
|
||
public void setCreationDate(Date creationDate) { | ||
this.creationDate = creationDate; | ||
} | ||
|
||
public JSONObject getData() { | ||
return data; | ||
} | ||
|
||
public void setData(JSONObject data) { | ||
this.data = data; | ||
} | ||
|
||
public ArchivedKeyAttributes getAttributes() { | ||
if (attributes == null) attributes = new ArchivedKeyAttributes(); | ||
return attributes; | ||
} | ||
|
||
public void setAttributes(ArchivedKeyAttributes attributes) { | ||
this.attributes = attributes; | ||
} | ||
|
||
public int getTtl() { | ||
return ttl; | ||
} | ||
|
||
public void setTtl(int ttl) { | ||
this.ttl = ttl; | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return "ArchivedKey{" + | ||
"dn='" + dn + '\'' + | ||
", id='" + id + '\'' + | ||
", creationDate=" + creationDate + | ||
", data=" + data + | ||
", attributes=" + attributes + | ||
", ttl=" + ttl + | ||
"} " + super.toString(); | ||
} | ||
} |
36 changes: 36 additions & 0 deletions
36
...uth-server/common/src/main/java/io/jans/as/common/model/common/ArchivedKeyAttributes.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package io.jans.as.common.model.common; | ||
|
||
import com.fasterxml.jackson.annotation.JsonIgnoreProperties; | ||
import com.fasterxml.jackson.annotation.JsonProperty; | ||
|
||
import java.io.Serializable; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
/** | ||
* @author Yuriy Z | ||
*/ | ||
@JsonIgnoreProperties( | ||
ignoreUnknown = true | ||
) | ||
public class ArchivedKeyAttributes implements Serializable { | ||
|
||
@JsonProperty("attributes") | ||
private Map<String, String> attributes; | ||
|
||
public Map<String, String> getAttributes() { | ||
if (attributes == null) attributes = new HashMap<>(); | ||
return attributes; | ||
} | ||
|
||
public void setAttributes(Map<String, String> attributes) { | ||
this.attributes = attributes; | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return "ArchivedKeyAttributes{" + | ||
"attributes=" + attributes + | ||
'}'; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.