Rotate tenant signing keys

[pulasthi7]

Problem Definition We use a tenant wise key to sign the assertions/tokens issued by that tenant. There can be requirements to change these keys. We need to provide the support to rotate these keys.

Effort BE::30

[tharindu-b-hewage]

@inthirakumaaran Have some work done related to the scope covered by this issue?

[inthirakumaaran]

@tharindu-bandara we didn't cover the tenant aspect as there were some limitations. Mainly there are two issues

1. we didn't separate internal keystore & primary keystore in tenants.
2. we don't know the keystore password for the tenant keystore thus we cannot rotate the initial key without deleting the keystore.

IMO the second issue can be fixed easily, however it would best if we can make key alias & key passwords configurable. For the first issue, we need to check thoroughly.

[tharindu-b-hewage]

I had an offline chat with @inthirakumaaran. The remainings of the issue are as follows.

1. Before rotating, we need to separate key stores in the Identity server. One Keystore to encrypt internal data, and another for encrypt/sign tokens(https://is.docs.wso2.com/en/latest/administer/migrating-the-secondary-userstore-password-to-the-internal-keystore/#migrating-the-secondary-userstore-password-to-the-internal-keystore). This is done for the super tenant, but need to implement for tenants. Also, the flows need to be tested once the separation is done.
2. Tenant key stores are generated as tenants are created. The generated Keystores have a random password. In order to rotate keys, we need to know the password as new keys are needed to be added to the Keystore.

@nilasini @ayshsandu Please kindly add your feedback on the above.

[tharindu-b-hewage]

Also, as per the chat with @ayshsandu, we are introducing symmetric key encryption from 5.11 onwards. Therefore, we need to evaluate how tenant key rotation behaves with symmetric key encryption.

[malithie]

@tharindu-bandara , symmetric encryption is about internal data encryption. This issue is about signing keys being used to sign information shared with external applications, IdPs or any other external entity where messages being shared

[piraveena]

We will follow the below approach to have rotate siging keys for tenant.

• Use the existing Registry level keystore
• Deprecate the the api to delete the existing keystore
• KeyStoreManagementService OSGi service to have all the management operations on private keys of tenant keystore.
• Have an alias in tenant level to use it for signing across the tenant for all applications
• Currently, in super tenant we send all the signing keys in jwks response. We will follow the same approach for tenants.

[piraveena]

Implementation will be divided into the following tasks.

• [ ] OSGi service for managing private keys in tenants (add new key, delete the key, get a private key, get all private keys).
• [ ] REST APIs for managing private keys in tenants on top of the above apis.
• [ ] Use Resident IDP property for choosing the signing key
• [ ] Fix the internal flows to support key rotation
• [ ] Deprecate the KeyProviderService since it is not used

[piraveena]

Please find my update on this feature below:

1. Created a swagger definition for this API https://app.swaggerhub.com/apis/piraveena/KeyStore-Mgt/2.0, https://app.swaggerhub.com/apis/piraveena/Config/1.0.0
2. Implemented OSGi service level apis for private keys management and alias management(using resident idp property) (Draft PR)
3. Implemented REST APIs for private keys management and alias management(using resident idp property) (Draft PR)

I will start working on JWKs endpoint to support key rotation for the tenant

[piraveena]

Please find the progress below:

1. Osgi apis for private key mgt, signing key alias- done
2. Relevant rest apis- done
3. Need to fix the flows to support the key rotations.

OAuth flows: Outgoing request:

1. idtoken signature (for tenant and supertenant) - done
2. self-contained accesstoken signature (for tenant and supertenant) - done
3. logout token signature(for tenant and supertenant)- done

Incoming request

1. id token hint validation (for the tenant and super tenant)- done

2. Need to work on saml bearer grant, jwt bearer grant

   SAML flows:

3. SAML post binding (both auth req and logout req) - done

4. SAML redirect binding - (both auth req and logout req) - done

5. Need to work on metadata endpoint