Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwk: refactor jwk id generation #589

Closed
aeneasr opened this issue Sep 27, 2017 · 0 comments
Closed

jwk: refactor jwk id generation #589

aeneasr opened this issue Sep 27, 2017 · 0 comments
Labels
feat New feature or request. package/jwk
Milestone
1.0.0-alpha.1

Comments

@aeneasr
Copy link
Member

aeneasr commented Sep 27, 2017

Currently, JWK Key IDs are generated by the generator. Depending on the generator, different strategies are used. For example,

  • HS256 sets shared per default
  • RS256/ECDSA sets private and public per default or uses the key id to set <id>:private, <id>:public

These things make key rotation painful. Instead, a random ID should be used.
@aeneasr aeneasr added feat New feature or request. package/jwk labels Sep 27, 2017
@aeneasr aeneasr added this to the 1.0.0-alpha1 milestone Sep 27, 2017
aeneasr pushed a commit that referenced this issue Feb 5, 2018
jwk: Forces JWK to have a unique ID
cd4715f 
Previously, JSON Web Keys did not have to specify a unique id. JWKs
generated by ORY Hydra typically only used `public` or `private`
as KeyID. This patch changes that and appends a unique id if no
KeyID was given. To be able to separate between public and private key
pairs in resource name, the public/private convention was kept.

This change targets specifically the OpenID Connect ID Token and HTTP
TLS keys. The ID Token key was previously "hydra.openid.id-token:public"
and "hydra.openid.id-token:private" which now changed to something like
"hydra.openid.id-token:public:9a458aa3-65a0-4982-835f-343eec45183c" and
"hydra.openid.id-token:private:fa353995-d77d-420a-b967-63bf0721271b"
with the UUID part being random for every installation.

This change will help greatly with key rotation in the future.

Closes #589
@aeneasr aeneasr closed this as completed in acd0107 Feb 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. package/jwk
Projects
None yet
Milestone
1.0.0-alpha.1
Development

No branches or pull requests
1 participant
@aeneasr