Add support for two OpenID Connect key-pairs#11626
Conversation
mitchellhenke
force-pushed
the
mitchellhenke/openid-connect-cert-rotation
branch
from
8fa74a0 to
a0ed94d
Compare
There was a problem hiding this comment.
LGTM.
One last thought is that maybe we could redo the naming of the primary/secondary? The existing pattern we have for PII fingerprinting, attribute encrypting, and other rotatable secrets is like is hmac_fingerprinter_key for the current one and hmac_fingerprinter_key_queue for older ones.
So my proposal here would be something like oidc_private_key and oidc_private_key_queue, then oidc_public_key and oidc_public_key_queue?
changelog: Internal, OpenID Connect, Support two OIDC key-pairs
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
mitchellhenke
force-pushed
the
mitchellhenke/openid-connect-cert-rotation
branch
from
848d9cb to
935a489
Compare
Yeah, I had been hoping to find a way to do that, but I'm not sure on the past way to handle it. I added a commit to put it in the Rails application config, which feels alright? Open to suggestions though. |
mitchellhenke
force-pushed
the
mitchellhenke/openid-connect-cert-rotation
branch
from
935a489 to
bac71fe
Compare
mitchellhenke
force-pushed
the
mitchellhenke/openid-connect-cert-rotation
branch
from
bac71fe to
33b57db
Compare
2 participants
🛠 Summary of changes
Following up on #11612, this adds a secondary OpenID Connect key-pair that gives us the ability to do a zero downtime rotation. The two externally facing elements that require changes are:
id_token_hintparameter in OIDC LogoutPreviously, we did not allow "missing" app artifacts, but we may not always have a secondary key-pair, so the class was modified to allow it (though it still defaults to not allowing it).