Closed mbonnell-wish closed 3 years ago
For what keys do you want that?
These secrets https://www.ory.sh/kratos/docs/guides/secret-key-rotation/. Basically, the request is to be able to hit an endpoint, and have a new secret be generated. This would probably necessitate storing the secrets in the DB like in Hydra.
In Ory Hydra we rotate JSON Web Keys which is different from rotating e.g. the system secret. Storing the system secret in the db is not possible as that secret is used, for example, to encrypt data in the database at rest, so it needs to be available outside of the db itself.
It's also bad practice to store secrets in plain text in databases!
That makes perfect sense, an oversight on my part!
Given that, I think it would make more sense to leave secret rotation up to the users. We use HashiCorp Vault to store our secrets - from doing some quick research, they seem to have a decent API for achieving this functionality.
Happy to have this issue closed :)
Is your feature request related to a problem? Please describe.
Hydra supports automated key rotation via the "generate keyset" endpoint. Is this in Kratos's roadmap?
Describe the solution you'd like
https://www.ory.sh/hydra/docs/reference/api/#generate-a-new-json-web-key
Describe alternatives you've considered
Additional context
Add any other context or screenshots about the feature request here.