Open pulasthi7 opened 4 years ago
@inthirakumaaran Have some work done related to the scope covered by this issue?
@tharindu-bandara we didn't cover the tenant aspect as there were some limitations. Mainly there are two issues
IMO the second issue can be fixed easily, however it would best if we can make key alias & key passwords configurable. For the first issue, we need to check thoroughly.
I had an offline chat with @inthirakumaaran. The remainings of the issue are as follows.
@nilasini @ayshsandu Please kindly add your feedback on the above.
Also, as per the chat with @ayshsandu, we are introducing symmetric key encryption from 5.11 onwards. Therefore, we need to evaluate how tenant key rotation behaves with symmetric key encryption.
@tharindu-bandara , symmetric encryption is about internal data encryption. This issue is about signing keys being used to sign information shared with external applications, IdPs or any other external entity where messages being shared
We will follow the below approach to have rotate siging keys for tenant.
Implementation will be divided into the following tasks.
Please find my update on this feature below:
I will start working on JWKs endpoint to support key rotation for the tenant
Please find the progress below:
OAuth flows: Outgoing request:
Incoming request
id token hint validation (for the tenant and super tenant)- done
Need to work on saml bearer grant, jwt bearer grant
SAML flows:
SAML post binding (both auth req and logout req) - done
SAML redirect binding - (both auth req and logout req) - done
Need to work on metadata endpoint
Problem Definition We use a tenant wise key to sign the assertions/tokens issued by that tenant. There can be requirements to change these keys. We need to provide the support to rotate these keys.
Effort BE::30