Skip to content

Have a set of keys instead of just oneΒ #45

New issue
New issue
Closed
#111
Closed
Have a set of keys instead of just one#45
#111
Assignees
TheLydonKing
Labels
enhancementNew feature or request
@jakipatryk

Description

@jakipatryk
jakipatryk
opened on Jun 7, 2023

Background

To allow more UX-friendly keys rotation, having a set of keys for signing JWTs is needed. Once a set of keys is used, the "oldest" one can stop signing keys for time equal to expiration of JWT set in config. After that time, it can be replaced with new one.

Example (more smooth rotation):

  1. Current keys: [A].
  2. New key B is generated (for example by rotation of A). Current keys [B, A].
  3. For some time (let's say 30 min) B is not used yet to sign JWT to allow backends based on LS to fetch this new set of keys.
  4. After that time, B starts signing JWTs. A becomes "idle" for some time.
  5. A gets removed. Current keys: [B].

A set of keys is also useful if we for some reason will have to revoke some JWTs, as we would only have to revoke one key from a set, leaving more users unaffected.

Feature

Have a set of keys for signing JWTs, each key having its own unique ID, and add this ID to header of JWT.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions