-
-
Notifications
You must be signed in to change notification settings - Fork 604
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JSON Web Key Support #410
JSON Web Key Support #410
Conversation
@danikarik hello, thanks - seems nice to have. I'll come with review comments very soon - need time to get some understanding on topic. For now I have one question - have you already tried that inside your token infrastructure? |
Tried it in PoC. Planning to deploy it on staging within couple of days. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added comments, plz take a look.
Last thing is to add own JWKS wrapper. |
Added own jwks manager to deal with cache and retrieving set from specified endpoint. |
select { | ||
case <-ticker: | ||
tc.cleanup() | ||
case <-tc.stop: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to stop cache at the moment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @danikarik, great job 👍 Ready to be merged I suppose. Going to make some minor tweaks here before release. Also JWKS support should be documented – will ask you to review documentation as soon as I send update to it. @cristaloleg, @C-Pro thanks for your help! |
Proposed changes
In case of asymmetric JWT encryption, it's hard to update or verify incoming connection tokens due to rotation nature of keys. Current scheme of interaction produces a lot of request to refresh proxy endpoints.
According to RFC7517 there is mechanism where we can put KeyID (
kid
) into token claims and find appropriate public rsa key for verifying using key identifier. All those public keys are available by specific url. This scheme of interaction makes possible to use same jwt token as system's internal token and as Centrifugo's connection token. But of course it works only if system's jwt token fully compatible with Centrifugo's connection token and JWKS public url and token's kid are specified.What I suggesting
token_hmac_secret_key
andtoken_rsa_public_key
) -jwks_public_url
kid
in claims it finds public key and verifies signature of token.