search

keratin / authn

Prototype version of AuthN service. See: keratin/authn-server
https://keratin.tech
GNU Lesser General Public License v3.0
34 stars 0 forks source link

automatic key provisioning and rotation #36

Closed cainlevy closed 7 years ago

cainlevy commented 7 years ago

summary

This changeset makes AuthN capable of generating and rotating its own RSA keys, using Redis for persistence and synchronization. It's expected that this will ease AuthN provisioning and lower expectations for the maturity of the host's configuration management system. If a host is ready and willing to take over these responsibilities, they may still supply RSA_PRIVATE_KEY and run AuthN with a static key provider.

details

The PEM in Redis is encrypted from a derivation of SECRET_KEY_BASE, using GCM to provide both confidentiality (encryption) and authenticity (signature).

A new key is generated for each new time interval, using Redis locking for process synchronization and Mutex for thread synchronization.

The current and previous key are both returned from the JWKs endpoint, with a kid that can be used by any client to know which JWK will verify their JWT.

The rotation interval matches the expiration of artifacts signed by the key. A key's lifespan is two intervals:

  1. during the first interval, it is used to sign and verify new tokens
  2. during the second interval, it is used to verify tokens generated during the first
  3. in the third interval, any tokens it generated during the first have expired and the key becomes useless

closes #23