Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-4801

Expose a secret through a JwkSet



    • Story
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.0.0
    • 7.1.0
    • None
    • None
    • 2020.16 - IG / Microservices, 2020.17 - IG / Microservices, 2021.01 - IG / Microservices, IG 2020 Winter Hack Week
    • 5


      With the JwtBuilderFilter we can build some signed or encrypted JWT. So the consumers of these JWT will need to verify them and thus access the crypto stuff that IG used to verify or decrypt the produced JWT. Unfortunately there is no built-in feature in IG that allows to publish such info. 

      That would be very handy for a user to setup a Handler / Filter with the same configuration used in the JwtBuilderFilter (or having the JwtBuilderFilter catching a specific requested endpoint) to produce a JwkSet containing the crypto material that the JWT consumer will need to verify the JWT.

      Acceptance Criteria

      • Add a JwkSetHandler with an associated Heaplet
        • Keep in mind that it could be used in other places
      • Need a SecretProvider reference
      • Plus a list of Purpose
        • Need to include the secret type (SigningKey, DataEncryptionKey, ...)
      • Plain text only

      Example configuration (not mandatory, for the example purpose only):

        purposes: [
            secretId: "your.secret.id",
            type: "VERIFICATION_KEY" // would export the certificate, not the private key

      In subsequent stories:

      • Secrets filtering options need to be determined
        • -restrict to public info only (== no shared secrets, no private keys)- -> Not done in that issue.
        • -only valid ? only active ? only named ?- (Only Valid - see comment below)


        Issue Links



              violette Violette Roche Montane
              laurent.vaills Laurent Vaills
              0 Vote for this issue
              5 Start watching this issue