JSON Web Key Support #410
JSON Web Key Support #410
Conversation
|
@danikarik hello, thanks - seems nice to have. I'll come with review comments very soon - need time to get some understanding on topic. For now I have one question - have you already tried that inside your token infrastructure? |
|
Tried it in PoC. Planning to deploy it on staging within couple of days. |
|
Last thing is to add own JWKS wrapper. |
|
Added own jwks manager to deal with cache and retrieving set from specified endpoint. |
| select { | ||
| case <-ticker: | ||
| tc.cleanup() | ||
| case <-tc.stop: |
There was a problem hiding this comment.
Is there a way to stop cache at the moment?
There was a problem hiding this comment.
|
Thanks @danikarik, great job 👍 Ready to be merged I suppose. Going to make some minor tweaks here before release. Also JWKS support should be documented – will ask you to review documentation as soon as I send update to it. @cristaloleg, @C-Pro thanks for your help! |
Proposed changes
In case of asymmetric JWT encryption, it's hard to update or verify incoming connection tokens due to rotation nature of keys. Current scheme of interaction produces a lot of request to refresh proxy endpoints.
According to RFC7517 there is mechanism where we can put KeyID (
kid) into token claims and find appropriate public rsa key for verifying using key identifier. All those public keys are available by specific url. This scheme of interaction makes possible to use same jwt token as system's internal token and as Centrifugo's connection token. But of course it works only if system's jwt token fully compatible with Centrifugo's connection token and JWKS public url and token's kid are specified.What I suggesting
token_hmac_secret_keyandtoken_rsa_public_key) -jwks_public_urlkidin claims it finds public key and verifies signature of token.