Hi Hasanthi, Thank you for asking a good question
Think of a scenario where we have a jwt signed using primary key. After we > make the keystore to facilitate multiple keys and having certificate > resolver, if we do a key rotation with completely new keys how can we > validate the signature of the JWT? After the rotation the jwks endpoint > does not contain the the keyset of old keystore right? > No, we will have the keysets of the old key. This is a problem of how you do the key rotation. So we have to follow one of the two approaches in performing the key rotation in our new implementation to mitigate the problem you mentioned, 1. we can import the new key with a different alias and make that alias as primary for signing and encryption. The certificate resolver will make sure that the correct alias is used after rotation. In this case, we don't have to remove the old key from the key store to introduce a new key. Thus we can expose the JWKS of the old key in the endpoint until we explicitly remove the key from the keystore. This will be the recommended way of doing a key rotation for our new implementation. 2. Normally in keystore, we cannot introduce the new key with already existing alias. Hence we have to delete the old key or change the alias of it. If we are planning to use the same alias, then first we have to change the old key's alias to a different one before importing the new key with old alias. By changing the old key alias, we can make sure that we don't have to remove the old key for reusing the same alias. FYI, as far the key is in the keystore we can expose their key sets in the JWKS endpoint. Hope this will clarify the problem. Please ask if you have further doubt on this. Thanks and Regards, kumaaran -- *Inthirakumaaran* Software Engineer | WSO2 E-mail:[email protected] Mobile:+94775558050 Web:https://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
