Comments (4)
Let me know if you have any ideas how to improve this. Best practices, specs and ideas alike :)
from hydra.
Instead of a flag, JWKs should have an exp claim.
from hydra.
For standard, regular key rotation that are meant to prevent key abuse, I would recommend a period of time where the old and new keys could be used. Basically the maximum expiry period for anything that would've been encrypted or signed with the old key.
If an existing key has been compromised, it should be replaced instantly and anything encrypted with the old key should be considered unsafe anyway and discarded. Locking during the replacement process would be nice, but ultimately there is going to be failing messages at some point if you're not respecting the previous keys anyway.
from hydra.
JWK Rotation is now implemented by adding another key (pair) to the existing set.
from hydra.
Related Issues (20)
- Internal Server Error when doing POST to /oauth2/token during Code Grant flow when exchanging Code on Token HOT 1
- `Dockerfile`: Remove `VOLUME` instruction
- `Dockerfile`: Remove `/etc/nsswitch.conf` workaround HOT 1
- Configure sensitive fields that should be redacted HOT 1
- Cannot sign up twice from the same client
- Reading cookie in cross-site context will be blocked in future Chrome versions HOT 7
- Add tracing headers (or cookies) to the "User login and consent flow" so login service and ui service can link their traces to hydra's traceparent HOT 1
- quickstart 5-min fails: permission denied
- cli: add access token strategy parameter HOT 1
- Calling end_session_endpoint with id_token_hint errors when JWK is rotated HOT 2
- UPGRADE.md is outdated and linked in release communications for 2.2
- Cannot exchange external OIDC ID token for Hydra access token due to `aud` claim handling in Hydra HOT 1
- cli: add `--id` parameter to the `create oauth2-client` command
- Assertions may be reused & dead lock
- Add `prompt=create` alias for `prompt=registration`
- Add scope strategy allowing different separator for prefixes, resources and verbs HOT 1
- Deletes are not getting committed on CockroachDB HOT 2
- Deletes are not respecting the time boundaries with CockroachDB HOT 1
- /admin/oauth2/auth/requests/login returns 200 instead of 410 for a used login_challenge HOT 1
- Not able to perform simultaneous auth flows with the same client
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hydra.