Support JWKs for jwt auth key definition #2176
Comments
|
Thanks, I like this idea. There are a few implementation subtleties but nothing too problematic. I think One thing I was surprised not to see explicitly addressed in the JWKS spec was a recommended caching lifetime. I guess this can be configurable in |
|
Yes I would agree. In other services that we have the keys are lazily fetched with a configurable cache period as well. I believe some implementations also use the kid in the header, checking if it exists in the cached keys and if not refreshing the keys, but this could lead to a pileup due to mal/misformed jwts. So I don't know if that level is necessary. And rehash invalidating the cache would still give a nice escape hatch to admins in the case they need to update immediately. |
|
In the meantime, if you're interested in implementing IRCV3BEARER, here's the current draft: Relevant background on SASL in the IRCv3 context is at https://ircv3.net/specs/extensions/sasl-3.1 |
|
Thanks, I had seen this earlier and was figuring out what changes we would need to make to the client library we use if any to make it work. So will definitely be giving it a try. |
Support for oauth and jwt and oauth authentication mechanisms was recently added which is great!
Currently for jwt authentication the key is provided directly in the configuration yaml. Another option that would be great to support is to allow the admins to supply a url that exposes the json web key set (JWKs). This would allow for a single source of truth for the public keys to check the jwts against and should be supported by any major auth provider. This also helps to centralize any key rotations and keep all the services in sync.
An example of a jwks endpoint is https://hydra.faforever.com/.well-known/jwks.json
The text was updated successfully, but these errors were encountered: