sourcefuse / loopback4-microservice-catalog

A Catalog of Microservices Created by SourceFuse for the Community
https://sourcefuse.github.io/arc-docs/arc-api-docs/
MIT License
297 stars 72 forks source link

The asymmetric signing configuration parameters only support a single key. The use of a single key means that rotation will cause outages. #2034

Open yeshamavani opened 8 months ago

yeshamavani commented 8 months ago

Is your feature request related to a problem? Please describe.

The asymmetric signing configuration parameters only support a single key. The use of a single key means that rotation will cause outages.

The two main endpoints that most industry standard OIDC/OAuth2.0 validation libs require are missing: discovery and JWKS. As a result, the public key signing key must be distributed into downstream services, rather than the downstream services using one of the standard endpoints for retrieving signing keys. JWKS is a hard requirement for key rotation, as it enables clients to use newly issued signing keys without rotation.

As a result of the above bullet points, pointing applications from other stacks, even node stacks that use generic OIDC libraries, will not work as expected.

External providers have their own distinct endpoints, instead of simply configuring the external providers and the service redirecting when a request is made for the external provider integration. Other similar products do not require instantiating a controller and adding endpoints

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

yeshamavani commented 7 months ago

Mudassir will prepare a TDD for this ETA-29th April