[COMMONS-340] Use secrets API in Jwt Session Module Created: 30/Jul/18  Updated: 11/Oct/18  Resolved: 10/Oct/18

Status: Resolved
Project: Commons
Component/s: Secrets
Fix Version/s: 24.0.0

Type: Story
Reporter: James Phillpotts Assignee: Jason Lemay
Resolution: Fixed Votes: 0
Labels: CLARK
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is required by OPENIDM-11422 Session JWT key usage is not clear Closed
is required by OPENIDM-11701 Integrate SecretsProvider based JWT c... Closed
Target Version/s:
Story Points: 5
Sprint: OpenIDM Sprint 6.5-8, OpenIDM Sprint 6.5-9
Epic Link: Commons Secrets Integration (Commons)


The jwt session JASPI module currently uses a keystore file and alias for encryption, and a static byte array for signing of JWTs. This should be changed to use the Secrets API.

The amount of impact on AM is: Low (AM has already overridden this class to integrate with the secrets API in 6.1)
The amount of impact on IDM is: Medium (We will make use of the work AM has done. This will require config change and providing the secrets provider to the service. This will also have UI impact)
The amount of impact on IG is: None - not used.

Acceptance criteria

  • The DefaultJwtCryptographyHandler is changed to use the Secrets API
  • The Purpose.SIGN, Purpose.VERIFY, Purpose.KEY_ENCRYPTION and Purpose.KEY_DECRYPTION purposes are used by the module
  • A SecretsProvider is expected in the initialization map, and is used to obtain the necessary secret values.

Comment by Jason Lemay [ 10/Oct/18 ]

A SecretsProviderJwtCryptographyHandler was added to the JWT session module to use purpose based secrets in the JWT Session Module.

The Jwt has the following additional configuration options to support secrets.

    "secretsProvider" - This option allows the consumer to send a SecretsProvider instance to the auth module.
    "encryptionPurpose" - The purpose to use for encryption, by default it uses the DATA_ENCRYPTION purpose.
    "decryptionPurpose" - The purpose to use for decryption, by default it uses the DATA_DECRYPTION purpose.
    "signingPurpose" - The purpose to use for signing, by default it uses the SIGN purpose.
    "verificationPurpose" - The purpose to use for verifying the Jwt, by default it uses the VERIFY purpose.
    clock" - This allows the consumer to pass a Clock to the Jwt session module. By default it uses a UTC clock.
Generated at Tue Oct 27 07:13:40 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.