-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Managing public keys for signed jwt #518
Comments
@elisafw-ux I'm not able to see the designs - I get a "Hmm, couldn't find that one" error |
@ikethecoder sorry! it's the same issue where you are gone from the board. I've invited you to view. |
@elisafw-ux to chat with Aidan to verify that there is anything else to work on |
@ikethecoder On the access request modal, I kept the UI as it was originally which includes the public key under the environment then a text area for people to add their public key in PEM format. Under the My Access page I removed "Regenerate Credentials" and just have "Update Public Key" Is there anything else that I need to work on from the UI side? |
@chrsamp @ikethecoder Updated designs Please review. |
@elisafw-ux Reviewed and looks good to me. Makes sense to combine the public cert/JWKS options on the access request. |
User Story
As an API Provider,
I want a way for my clients to provide (and self-serve) a public certificate during access request time
so that my Identity Provider (IdP) can use it to validate the Client Assertion Token
unlike now where the only option currently is to use the
Signed JWT with JWKS URL
which is not possible as our IdP does not have direct internet access.Two types of client credentials
The credential a client uses to authenticate falls into one of these two types:
Shared secret -- The Identity Provider issues the client with a secret (password) that is stored by the server as well as the client.
Private key -- The client generates a private RSA or EC key and stores it securely. The client then authenticates by signing an assertion (a JWT) with the private key.
Of the two methods the one based on a private key has stronger security properties.
A client can store the private key in a Hardware Security Module (HSM) or a Trusted Platform Module (TPM) where the signing is performed internally, within the module, and extraction of the stored keys is not possible. This can reduce the risk of client impersonation significantly.
The authorisation server doesn't keep any client-related credentials, limiting potential exposure.
The signed assertions (JWT) expire, limiting the time window for replay if they get accidentally leaked. Client certificates can also be made to expire quickly.
Finally, the issued tokens can be bound to the private key, enabling resource servers to require the client to prove its key possession when the token is submitted, thus upgrading the security of the OAuth 2.0 bearer tokens. Reference https://connect2id.com/learn/token-binding
Technical Design Notes
We have implemented the calls to the IdP already as we use it for the
Signed JWT with Generated Key Pair
flow.Expected changes:
authenticator
ofsigned-jwt-with-public-key
on the Authorization ProfileThe text was updated successfully, but these errors were encountered: