Skip to content

Add jwks expiration header #1536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bostandyksoft opened this issue Feb 15, 2024 · 3 comments
Closed

Add jwks expiration header #1536

bostandyksoft opened this issue Feb 15, 2024 · 3 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@bostandyksoft
Copy link

bostandyksoft commented Feb 15, 2024
edited
Loading

Expected Behavior
According to OpenID Connect specification
10.2.1. Rotation of Asymmetric Encryption Keys
https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys

oauth2/jwks endpoint response SHOULD contain some information about keys expiring. So we need a way to customize the response-building process. Either an interceptor or inheritance mechanism

Current Behavior
NimbusJwkSetEndpointFilter does not provide any mechanism to send this information
@bostandyksoft bostandyksoft added the type: enhancement A general enhancement label Feb 15, 2024
@jgrandja
Copy link
Collaborator

@bostandyksoft

You referenced 10.2.1. Rotation of Asymmetric Encryption Keys but I'm curious exactly what you are trying to achieve as Spring Authorization Server does not currently support JWE so it's not clear to me how you intend on using JWE.

Can you please provide specific details on your use case?

@jgrandja jgrandja added the status: waiting-for-feedback We need additional information before we can continue label Feb 26, 2024
@bostandyksoft
Copy link
Author

Hi. Excuse me.
I meant 10.1.1 paragraph. About signing keys. There is also mention of rolling keys
"Keys can be rolled over by periodically adding new keys to the JWK Set at the jwks_uri location"

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 27, 2024
@jgrandja
Copy link
Collaborator

@bostandyksoft Spring Authorization Server uses a JWKSource @Bean (required) for obtaining the signing key. The backing implementation of JWKSource is responsible for providing key rotation capability.

We do have an open issue gh-544 that will demonstrate how to provide a JWKSource @Bean that implements a key rotation strategy.

I'll close this issue as a duplicate of gh-544.

@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed status: feedback-provided Feedback has been provided type: enhancement A general enhancement labels Feb 27, 2024
@jgrandja jgrandja self-assigned this Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bostandyksoft @jgrandja @spring-projects-issues