GoKawiilIn the previous article we added the two standard JWKS discovery endpoints to our authentication server.
As part of the OpenId Connect (OIDC) protocol, the first of these endpoints enables an API to discover where the other relevant endpoints are and the second endpoint publishes the public keys that clients use to verify the RSA-256 signatures on the JWT's that we issue.
The previous version of the implementation that we've been working on only ever served a single key, though. In this article we’re going to change that.
We’ll implement proper key rotation so we can safely swap signing keys on a schedule, while still allowing any tokens signed with older keys to keep working until they expire.
To make it all work cleanly we’ll store the keys in Redis. This gives us automatic expiry (so rotation happens without any cron jobs), and because the keys live in the cache they survive application restarts and deployments too.
There is a repository on GitHub that you can clone, run and debug if you want to see the code I'm talking about in this article. I've basically taken the code from the previous article and added some extra features. It's those additions are what I'll be explaining in the article.
This article's code: https://github.com/aaroncpina/Aaron.Pina.Blog.Article.08
Previous article's code: https://github.com/aaroncpina/Aaron.Pina.Blog.Article.07
The recommended approach is to take the previous article's code and add to it yourself as you read the article. That way you'll "get your hands dirty" as they say, which is going to help the concepts stick in your mind. But if you want to just use the already prepared code, that's fine too.
Okay, let's start!
... continue reading