Anonymitaet commented on code in PR #580: URL: https://github.com/apache/pulsar-site/pull/580#discussion_r1197219830
########## docs/security-openid-connect.md: ########## @@ -72,6 +76,10 @@ When using OIDC for a client connecting through the proxy to the broker, it is n ::: +### Signing Key Rotation + +The [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) spec gives the `AuthenticationProviderOpenID` a way to discover trusted public keys. The public keys are formatted as a [JSON Web Key (JWK)](https://www.rfc-editor.org/rfc/rfc7517) set, also known as a JWKS. When the Identity Provider rotates signing keys, there is a chance that the Identity Provider will start signing tokens with the new key before the JWKS cache has been refreshed. In order to avoid rejecting tokens signed with the new key, the OIDC Authentication Provider will attempt to refresh the JWKS when a token has a trusted issuer claim but the key ID (kid claim) is not in the issuer's cached JWKS. The `openIDKeyIdCacheMissRefreshSeconds` setting determines how long the OIDC Authentication Provider will wait before attempting to refresh the JWKS. The default value is 300 seconds and means that a JWKS must have been in the cache for at least 300 seconds before a missing key ID wil l trigger cache invalidation. The `openIDKeyIdCacheMissRefreshSeconds` setting protects the OIDC Authentication Provider from a malicious client that presents a token with a new key ID every time it connects. Review Comment: ```suggestion The [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) spec gives the `AuthenticationProviderOpenID` a way to discover trusted public keys. The public keys are formatted as a [JSON Web Key (JWK)](https://www.rfc-editor.org/rfc/rfc7517) set, also known as a JWKS. When the Identity Provider rotates signing keys, there is a chance that the Identity Provider will start signing tokens with the new key before the JWKS cache has been refreshed. To avoid rejecting tokens signed with the new key, the OIDC Authentication Provider will attempt to refresh the JWKS when a token has a trusted issuer claim but the key ID (kid claim) is not in the issuer's cached JWKS. The `openIDKeyIdCacheMissRefreshSeconds` setting determines how long the OIDC Authentication Provider will wait before attempting to refresh the JWKS. The default value is 300 seconds. It means that a JWKS must have been in the cache for at least 300 seconds before a missing key ID triggers c ache invalidation. The `openIDKeyIdCacheMissRefreshSeconds` setting protects the OIDC Authentication Provider from a malicious client that presents a token with a new key ID every time it connects. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
