make it configurable to get jwt public certificates from cache or from oauth server #140
Comments
|
@sharjeeltariq Thanks for opening this issue for enhancement. As we've discussed offline, I am adding more details below for other developers to track what is changing and in what condition they can leverage the new feature. As we know light-oauth2 has a key distribution service to allow service/resource server to retrieve public key certificate by passing kid from JWT token header. In case of key rotated on the oauth2 server, there is no need to push the public key certificate to all servers in order to verify signature of JWT signed by OAuth2 server. Currently, we have option to package the public key certificate(s) with other configuration files during deployment. But if you are using light-oauth2 to secure your service, you don't need to do that. Once the server is up and running, it will goto the oauth2 server to get it and cache it until the new key is rolling out. In light*4j framework, we do support other OAuth2 servers but given no other commercial servers support the key distribution this way, we want to make it configurable so that the service can bootstrap from dynamic loading key from key service of OAuth2 or from local config. The implementation detail will follow. |
|
The release is pending and there is an tutorial that developers can follow. https://doc.networknt.com/tutorial/security/bootstrap-from-key-service/ |
No description provided.
The text was updated successfully, but these errors were encountered: