The E-Commerce Team has updated our OAuth access token endpoint to optionally return a JWT access token. This is an implementation of a previously-distributed design. Our current implementation relies on a shared secret key to sign JTWTs. We want to avoid sharing secrets across our IDAs as this poses a security risk and requires simultaneous IDA deployment/downtime to update the key.
Asymmetric keysÂ
Jira Legacy server JIRA (openedx.atlassian.net) serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ECOM-3629 - Expose public key using well-known endpoint (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
- Expose multiple keys—current, last active. The last active key can be removed after the last JWT issued with the key has expired.
- Revoked keys should be removed from the list immediately.
- Use actual certificates that can be revoked and verified against a CA
- https://github.com/juanifioren/django-oidc-provider/blob/a0c7b3c0c40af08c6eccf8a2731fb21a9804871e/oidc_provider/views.py#L176-L225