Support RS256/JWKS for signing/verifying OAUTH JWTs #15912
Comments
techknowlogick
added
type/feature
|
I have implemented this and tested it with Sourcegraph: Currently I create a random RSA key on startup. How should we make this configurable in the Should both signing methods be available ( |
|
@KN4CK3R ❤️ yeah, I think the same approach that the builtin SSH server has for generating certs is acceptable. I think that |
|
To close the loop on this, I've paid out the bounty prior to the merge of this PR. Thanks again to @KN4CK3R for their work on this :) |
techknowlogick
removed
the
issue/bounty
|
Will this change invalidate all my api keys? Or can i simply restart my drone ci and it works as before? Setting |
Background information on RS256 here: https://auth0.com/blog/navigating-rs256-and-jwks/
Utilizing RS256 (as an option) to sign JWTs means that a shared secret won't need to be shared with applications to verify the validity of the token (likely currently applications assume tokens are valid without checking signature).
Two applications that I tested using our OIDC well-known endpoint, which are Sourcegraph and Smallstep CA, fail due to them needing to verify tokens they receive.
I'm willing to payout a bounty of $100USD on this (minus whatever bogus fees paypal requires), and pay that directly to contributor who completes this ticket. This is instead of using bounty source as they takes slightly more off top than paypal directly (I'm going this way to incentivise completion even slightly more).
cc: @jonasfranz
Edit: For this ticket please also create a jwks_uri and add it to the wellknown oidc endpoint.
The text was updated successfully, but these errors were encountered: