[#22] - implement per-realm JWT secret rotation with lifecycle management#23
Merged
Merged
Conversation
… the secret class to support per-realm secrets and key rotation
…creation and configuration of filters related to secrets. This improves the flexibility and reusability of filtering criteria within the domain.
…nstants in `documents.cs`
… secret filtering, allowing dynamic filters to be applied in MongoDB pipelines for the secret entity
…ers and counts, updates the constructor to accept a realm provider, and implements aggregation pipelines in MongoDB for searching and counting secrets.
…sier to create standard or custom filter instances.
…tation service interface and implementation to manage the secret lifecycle (creation, rotation, deletion) with expiration logic and a grace period.
…on service with a transient lifetime
…ets are no longer generated automatically during service configuration, as this is now done per realm and during realm creation.
…tation interface and service, allowing you to remove all secrets from a realm.
…e that performs key rotation, validation, and secret cleanup for all realms every 24 hours, using parallel processing and logs for monitoring and error handling.
…alm in route and enhance response handling for JWKS endpoints
…ests to include realm association and expiration dates
…r improved organization
…d on realm and secret filters
…ey rotation background service"
…e public keys and enhance private key retrieval logic
… and enhance secret retrieval logic
…refix in url requests
… and enhance configuration retrieval logic
… and ensure secret exists during realm creation
…nd directly uses the `scope factory` parameter in the constructor and in internal references.
…ment in the project
…ion method to convert domain objects
…cret management to represent secret information and its expiration dates.
… make it easier to use types from this namespace throughout the project.
…alm exists before fetching secrets.
… realm, allowing you to retrieve secrets from a specific realm with the appropriate authorization.
…rets to rotate the secrets of a specific realm, using the rotation service and validating the realm's existence.
…cending order before being converted to the response format, ensuring that the most recent ones are returned first.
…lm secrets endpoints, covering both success and error scenarios. It also adds a global `using` statement for `Payloads.Secret` in `Us
…ion to JWT token handling and tests
…or JWT bearer authentication
… and prune outdated secrets
…g per-realm key rotation and realm-specific .well-known endpoints
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, the application generates a single global RSA secret at startup if none exists. This secret is shared across all realms, which means a key compromise or rotation affects every realm simultaneously. There is also no concept of key expiration, grace periods, or historical key tracking.
One global secret shared by all realms. No expiration or rotation mechanism. No grace period — rotating would immediately invalidate all active tokens. Blocking async calls at startup.
Each realm should own a collection of secrets with full lifecycle tracking. A secret can be in one of three states: active (signs new tokens), in grace period (validates existing tokens only), or expired (discarded). Rotation creates a new active secret and moves the current one into a grace period long enough to cover any live tokens — after which it is cleaned up.