This changeset makes AuthN capable of generating and rotating its own RSA keys, using Redis for persistence and synchronization. It's expected that this will ease AuthN provisioning and lower expectations for the maturity of the host's configuration management system. If a host is ready and willing to take over these responsibilities, they may still supply RSA_PRIVATE_KEY and run AuthN with a static key provider.
details
The PEM in Redis is encrypted from a derivation of SECRET_KEY_BASE, using GCM to provide both confidentiality (encryption) and authenticity (signature).
A new key is generated for each new time interval, using Redis locking for process synchronization and Mutex for thread synchronization.
The current and previous key are both returned from the JWKs endpoint, with a kid that can be used by any client to know which JWK will verify their JWT.
The rotation interval matches the expiration of artifacts signed by the key. A key's lifespan is two intervals:
during the first interval, it is used to sign and verify new tokens
during the second interval, it is used to verify tokens generated during the first
in the third interval, any tokens it generated during the first have expired and the key becomes useless
summary
This changeset makes AuthN capable of generating and rotating its own RSA keys, using Redis for persistence and synchronization. It's expected that this will ease AuthN provisioning and lower expectations for the maturity of the host's configuration management system. If a host is ready and willing to take over these responsibilities, they may still supply
RSA_PRIVATE_KEY
and run AuthN with a static key provider.details
The PEM in Redis is encrypted from a derivation of
SECRET_KEY_BASE
, using GCM to provide both confidentiality (encryption) and authenticity (signature).A new key is generated for each new time interval, using Redis locking for process synchronization and
Mutex
for thread synchronization.The current and previous key are both returned from the JWKs endpoint, with a
kid
that can be used by any client to know which JWK will verify their JWT.The rotation interval matches the expiration of artifacts signed by the key. A key's lifespan is two intervals:
closes #23