Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Rotate ID token signing keys periodically

Download Browse

Rotating the signing key periodically limits the damage in case of a key compromise. The period has been set to a short period of time (1H) to make sure the Relying-Party know how to handle the key rotation as it forces them to automate the retrieval of the JWKS document. Without that a Relying-Party might be tempted to hardcode the signing key which will break the day a key rotation is really needed. Also to make sure we play nice with all Relying-Party implementations a `kid` header [0] has been to the ID token. Part of story #14714: be an OpenID Connect provider [0] https://tools.ietf.org/html/rfc7515#section-4.1.4 Change-Id: I7eedb367ca1bef3d73160a89baf7647134778dfa

+525 −103
Thomas Gerbet (tgerbet) 2020-04-26 17:19
Thomas Gerbet (tgerbet) 2020-04-27 14:20
5b660d4d1d65d7bba7bce7e11f4dedf258f7efda
4a4b4cf3861b0c88de2f95777cf3049979f863ef
git #tuleap/stable/5b660d4d1d65d7bba7bce7e11f4dedf258f7efda

Modified Files

Side by side diff
Inline diff
Name
M plugins/oauth2_server/db/install.sql +3 −2 Go to diff View file
A plugins/oauth2_server/db/mysql/2020/202004241830_add_expiration_date_column_oauth2_signing_key.php +49 −0 Go to diff View file
M plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreator.php +7 −2 Go to diff View file
M plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectSigningKeyDAO.php +22 −15 Go to diff View file
M plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectSigningKeyFactory.php +55 −20 Go to diff View file
A plugins/oauth2_server/include/OpenIDConnect/IDToken/SigningPrivateKey.php +56 −0 Go to diff View file
A plugins/oauth2_server/include/OpenIDConnect/IDToken/SigningPublicKey.php +71 −0 Go to diff View file
M plugins/oauth2_server/include/OpenIDConnect/JWK/JSONWebKey.php +6 −15 Go to diff View file
M plugins/oauth2_server/include/OpenIDConnect/JWK/JWKSDocumentEndpointController.php +20 −6 Go to diff View file
M plugins/oauth2_server/include/oauth2_serverPlugin.php +17 −4 Go to diff View file
M plugins/oauth2_server/tests/e2e/cypress/rp-oidc/OAuth2AuthorizationCallbackController.php +17 −5 Go to diff View file
M plugins/oauth2_server/tests/integration/OpenIDConnect/IDToken/OpenIDConnectSigningKeyDAOTest.php +24 −10 Go to diff View file
M plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreatorTest.php +10 −3 Go to diff View file
M plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/OpenIDConnectSigningKeyFactoryTest.php +24 −15 Go to diff View file
A plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/SigningPrivateKeyTest.php +84 −0 Go to diff View file
A plugins/oauth2_server/tests/unit/OpenIDConnect/IDToken/SigningPublicKeyTest.php +49 −0 Go to diff View file
M plugins/oauth2_server/tests/unit/OpenIDConnect/JWK/JSONWebKeySetTest.php +2 −1 Go to diff View file
M plugins/oauth2_server/tests/unit/OpenIDConnect/JWK/JSONWebKeyTest.php +5 −3 Go to diff View file
M plugins/oauth2_server/tests/unit/OpenIDConnect/JWK/JWKSDocumentEndpointControllerTest.php +4 −2 Go to diff View file