Lazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works
13 points by aaronpina 2 days ago | 10 comments
hexagonsuns 58 minutes ago
replytime4tea 4 hours ago
The key material is in redis?
Seems odd.
Should be in fips 140 hsm?
Else key can be stolen easy.
replyMaybe missed something.
a_random_name 4 hours ago
(glanced at it so I could be wrong) They're talking about a public key that can be used to validate the JWT's authenticity. AFAIK there is no need to keep these secret, and it's not possible to (without breaking public key crypto) forge them so it should be safe to store them wherever.
replynijave 4 hours ago
How can the key be stolen easily? That really depends on the security of the Redis setup. Redis is typically not internet accessible so you'd need some sort of server exploit.
replyWould have been good if the article example showed a Redis server with TLS and password auth.
time4tea 4 hours ago
Private key material should not be kept in the clear anywhere, ideally.
This includes on your dev machine, serialised in a store, in the heap of your process, anywhere.
Of course, it depends on your threat environment, but the article did mention pci-dss.
If you put it in redis, then anyone that has access (internal baddies exist too!) can steal the key and sign something. Its hard to repudiate that.
replyflumpcakes 3 hours ago
How far do you go, how do you use the private key to sign something if you can't keep it anywhere?
replyJackSlateur 2 hours ago
TPM
replyYou never have the private key, only the ability to ask something to encrypt/sign something
I skimmed over the previous articles in this blog and they don't seem to mention the one use case JWTs were made for: having a separate authentication server from the application server. Most developers will only need this for integrating into corporations with single sign in or social logins (sign in with Facebook/google/apple...). There you won't write the authentication server but integrate with them. Session Ids are dead simple to get right securely. Just use them.