Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Use custom key in private_key_jwt towards OAuth2/OIDC IdP #2420

Merged
merged 4 commits into from
Jul 26, 2023
Merged

feature: Use custom key in private_key_jwt towards OAuth2/OIDC IdP #2420

merged 4 commits into from
Jul 26, 2023

Conversation

strehle
Copy link
Member

@strehle strehle commented Jul 25, 2023
edited
Loading

Why: Key rotation in UAA should be Independent from scenario.

Currently: UAA stores keys (JWKSet) in jwt.token.policy.keys.
The current signing key is defined with jwt.token.policy.activeKeyId.
This key is used for JWT creation towards UAA clients (standard token flows), but also with private_key_jwt for the JWT creation towards the IdP.

In case of key rotation this can be less flexible than situation before where secrets were used. Each IdP had a custom relyingPartySecret, different to the client secret of the oauth2 clients in UAA.

Therefore this PR introduces a sub parameter kid which allows to use a different key for private_key_jwt scenario.
With this the UAA clients can rotate keys without dependency to the configured identity providers in UAA:
The key used in private_key_jwt must be in zone configuration -> jwt.token.policy.keys.

@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/185685964

The labels on this github issue will be updated when the story is started.

@strehle
Copy link
Member Author

strehle commented Jul 25, 2023

sonar green:
https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=2420

documentation
image

@hsinn0 hsinn0 added the in_review The PR is currently in review label Jul 25, 2023
@strehle
Copy link
Member Author

strehle commented Jul 26, 2023

@hsinn0 Thanks for the review. I changed the text.
This PR is no breaking or any change, it is an enhancement to existing only, hope that gets clear from text now

@strehle strehle requested a review from hsinn0 July 26, 2023 10:45
@strehle
Copy link
Member Author

strehle commented Jul 26, 2023

Documentation Update
image

@strehle strehle merged commit d6961e7 into develop Jul 26, 2023
20 checks passed
@strehle strehle deleted the feature/jwtClientAuthentication/customKey branch July 26, 2023 19:08
@cf-gitbot cf-gitbot added delivered accepted Accepted the issue and removed delivered labels Oct 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hsinn0 hsinn0 hsinn0 approved these changes

@Tallicia Tallicia Awaiting requested review from Tallicia

@torsten-sap torsten-sap Awaiting requested review from torsten-sap

Assignees
No one assigned
Labels
accepted Accepted the issue in_review The PR is currently in review
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@strehle @cf-gitbot @hsinn0