The E-Commerce Team has updated our OAuth access token endpoint to optionally return a JWT access token. This is an implementation of a previously-distributed design. Our current implementation relies on a shared secret key to sign JTWTs. We want to avoid sharing secrets across our IDAs as this poses a security risk and requires simultaneous IDA deployment/downtime to update the key.
Asymmetric keysÂ
- ECOM-3629 - Getting issue details... STATUS
- Expose public key using well-known endpoint (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
- Expose multiple keys—current, last active. The last active key can be removed after the last JWT issued with the key has expired.
- Revoked keys should be removed from the list immediately.
- Use actual certificates that can be revoked and verified against a CA
- https://github.com/juanifioren/django-oidc-provider/blob/a0c7b3c0c40af08c6eccf8a2731fb21a9804871e/oidc_provider/views.py#L176-L225