Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow origin issuer key to be rotated #561

Open
bbockelm opened this issue Dec 29, 2023 · 0 comments · May be fixed by #1748
Open

Allow origin issuer key to be rotated #561

bbockelm opened this issue Dec 29, 2023 · 0 comments · May be fixed by #1748
Assignees
@h2zh
Labels
enhancement New feature or request registry Issue relating to the registry component
Milestone
v7.12.0

Comments

@bbockelm
Copy link
Collaborator

We currently keep the issuer private key around for the lifetime of the process. If the key is changed then it should be reloaded and propagated throughout the internal structures.

Instead of having a time-based cache for this, I think it'd be better to have a maintenance goroutine that periodically checks/reloads/updates the internal data structures.

In scope for this issue:

  • Rotating out private key from internal memory structures if the admin provides a new one.
  • Registering new key with the registry.

Not in scope for this issue:

  • Generating a new public JWKS file with both old and new keys. It's up to the admin to get the public key set correct.
    • In the future, we should track when the last known token for a given key expires and automatically merge in prior public keys used by the origin.
  • Delaying signing tokens with the new key until a public key propagation time period has passed.
  • Actually generating the new private key itself.

That is, we should assume the origin administrator knows what they're doing when rotating keys. A follow-up ticket can automate the key rotation process.
@bbockelm bbockelm added the enhancement New feature or request label Dec 29, 2023
@bbockelm bbockelm added this to the v7.5.0 milestone Dec 29, 2023
@haoming29 haoming29 mentioned this issue Feb 1, 2024
Closed
@haoming29 haoming29 modified the milestones: v7.5.0, v7.7.0 Mar 6, 2024
@haoming29 haoming29 modified the milestones: v7.7.0, v7.8.0 Mar 29, 2024
@bbockelm bbockelm modified the milestones: v7.8.0, v7.9.0 May 8, 2024
@jhiemstrawisc jhiemstrawisc modified the milestones: v7.9.0, v7.10.0 Jun 14, 2024
@bbockelm bbockelm added the registry Issue relating to the registry component label Oct 11, 2024
@bbockelm bbockelm modified the milestones: v7.10.0, v7.12.0 Oct 11, 2024
@h2zh h2zh linked a pull request Nov 19, 2024 that will close this issue
Allow multiple private keys but use the latest one #1748
Open
@h2zh h2zh linked a pull request Nov 19, 2024 that will close this issue
Open
@h2zh h2zh mentioned this issue Dec 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h2zh h2zh

Labels
enhancement New feature or request registry Issue relating to the registry component
Projects
None yet
Milestone
v7.12.0
Development

Successfully merging a pull request may close this issue.

Allow multiple private keys but use the latest one h2zh/pelican
4 participants
@bbockelm @haoming29 @h2zh @jhiemstrawisc