stable
Clone or download
Read-only
Rotating the signing key periodically limits the damage in case of a key compromise. The period has been set to a short period of time (1H) to make sure the Relying-Party know how to handle the key rotation as it forces them to automate the retrieval of the JWKS document. Without that a Relying-Party might be tempted to hardcode the signing key which will break the day a key rotation is really needed. Also to make sure we play nice with all Relying-Party implementations a `kid` header [0] has been to the ID token. Part of story #14714: be an OpenID Connect provider [0] https://tools.ietf.org/html/rfc7515#section-4.1.4 Change-Id: I7eedb367ca1bef3d73160a89baf7647134778dfa
Modified Files
Name | ||||
---|---|---|---|---|
M | plugins/oauth2_server/db/install.sql | +3 | −2 | Go to diff View file |
A | plugins/oauth2_server/db/mysql/2020/202004241830_add_expiration_date_column_oauth2_signing_key.php | +49 | −0 | Go to diff View file |
M | plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreator.php | +7 | −2 | Go to diff View file |
M | plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectSigningKeyDAO.php | +22 | −15 | Go to diff View file |
M | plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectSigningKeyFactory.php | +55 | −20 | Go to diff View file |
A | plugins/oauth2_server/include/OpenIDConnect/IDToken/SigningPrivateKey.php | +56 | −0 | Go to diff View file |
A | plugins/oauth2_server/include/OpenIDConnect/IDToken/SigningPublicKey.php | +71 | −0 | Go to diff View file |
M | plugins/oauth2_server/include/OpenIDConnect/JWK/JSONWebKey.php | +6 | −15 | Go to diff View file |
M | plugins/oauth2_server/include/OpenIDConnect/JWK/JWKSDocumentEndpointController.php | +20 | −6 | Go to diff View file |
M | plugins/oauth2_server/include/oauth2_serverPlugin.php | +17 | −4 | Go to diff View file |
M | plugins/oauth2_server/tests/e2e/cypress/rp-oidc/OAuth2AuthorizationCallbackController.php | +17 | −5 | Go to diff View file |
M | plugins/oauth2_server/tests/integration/OpenIDConnect/IDToken/OpenIDConnectSigningKeyDAOTest.php | +24 | −10 | Go to diff View file |
M | plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreatorTest.php | +10 | −3 | Go to diff View file |
M | plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/OpenIDConnectSigningKeyFactoryTest.php | +24 | −15 | Go to diff View file |
A | plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/SigningPrivateKeyTest.php | +84 | −0 | Go to diff View file |
A | plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/SigningPublicKeyTest.php | +49 | −0 | Go to diff View file |
M | plugins/oauth2_server/tests/unit/OpenIDConnect/JWK/JSONWebKeySetTest.php | +2 | −1 | Go to diff View file |
M | plugins/oauth2_server/tests/unit/OpenIDConnect/JWK/JSONWebKeyTest.php | +5 | −3 | Go to diff View file |
M | plugins/oauth2_server/tests/unit/OpenIDConnect/JWK/JWKSDocumentEndpointControllerTest.php | +4 | −2 | Go to diff View file |