Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make JWT key type independently configurable #1928

Closed
mbyczkowski opened this issue Oct 21, 2020 · 0 comments · Fixed by #1991
Closed

Make JWT key type independently configurable #1928

mbyczkowski opened this issue Oct 21, 2020 · 0 comments · Fixed by #1991
Assignees
@evan2645

Comments

@mbyczkowski
Copy link
Contributor

Currently (including, the yet unreleased version 0.12) SPIRE has global configurable key type (ca_key_type config option) that allows to set RSA or EC key types for both JWTs and X509. This means that if one has to use RSA for JWTs, then X509 will switch to RSA as well, which might be undesirable.

This came up for me when looking into OIDC federation, during which I have learned that the vendor doesn't seem to support EC JWTs.

Perhaps as @evan2645 pointed in Slack, introducing a new config option (potentially called jwt_key_type) could be a great start here?

Long-term it would be good to be able to support multiple key types at the same time (at least for JWTs). I can see a scenario where a federation with vendor A could use RSA keys whereas federation with vendor B could use still use EC.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evan2645 evan2645

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow CA to configure different key type for JWTs and X509 mbyczkowski/spire
2 participants
@mbyczkowski @evan2645