Skip to content

Multiple rsa keys #978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 23, 2021
Merged

Multiple rsa keys #978

merged 4 commits into from
Sep 23, 2021

Conversation

dylantack
Copy link
Contributor

Fixes #950

Description of the Change

This adds support for multiple RSA keys via the OIDC_RSA_PRIVATE_KEYS_INACTIVE setting.
Additionally, jwks_uri has Cache-Control header as recommended by the OpenID spec.

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@dylantack
Copy link
Contributor Author

To be very precise about the Cache-Control header, the spec only mentions it in the context of encryption keys, not signing keys. However jwks_uri would be the same resource for both, and I think even for signing the max-age is valuable information for the verifier. Without it, the verifier doesn't have any guidance on how often to re-check for revoked keys.

Here are some examples from jwks_uri on popular ID providers:

Auth0:
Cache-Control: public, max-age=15, stale-while-revalidate=15, stale-if-error=15

Firebase Auth:
Cache-Control: public, max-age=22159, must-revalidate, no-transform

Okta:
cache-control: max-age=3293198, must-revalidate

Azure Active Directory B2C:
Cache-Control: max-age=86400, private

So it seems like there's quite a bit of variation; I have defined OIDC_JWKS_MAX_AGE_SECONDS with a default of 1 hour.

@codecov
Copy link

codecov bot commented Sep 21, 2021
edited
Loading

Codecov Report

Merging #978 (40df294) into master (59ab199) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #978   +/-   ##
=======================================
  Coverage   96.56%   96.56%           
=======================================
  Files          31       31           
  Lines        1716     1718    +2     
=======================================
+ Hits         1657     1659    +2     
  Misses         59       59
Impacted Files Coverage Δ
oauth2_provider/settings.py 100.00% <ø> (ø)
oauth2_provider/views/oidc.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 59ab199...40df294. Read the comment docs.

@auvipy auvipy requested a review from n2ygk September 21, 2021 16:44
n2ygk
n2ygk approved these changes Sep 23, 2021
View reviewed changes
Copy link
Member

@n2ygk n2ygk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks.

@n2ygk n2ygk merged commit 0658109 into jazzband:master Sep 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n2ygk n2ygk n2ygk approved these changes

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Multi RS256 Keys support in OpenID
3 participants
@dylantack @n2ygk @auvipy