OAuth2.0 uses a secret as a symmetric key used by say, HMACSHA256 algorithm to generate signature. This secret is important, otherwise anyone can create a 'valid' JWT token and present to server. For example, if I create a JWT, and sign it, the sign is valid. Only the server know the secret or symmetric key. So I cannot create a JWT which will 'pass' with the server, as I don't know the secret with the server. So far so good. Now, if there are multiple servers, and multiple micro services, thus potentially having dozens of servers, all of them need to know the same secret so that the JWT 'passes' in all the servers. This seems to be big loophole. If one server is breached and the secret is known, all servers can be breached. In addition, on small way to alleviate this is to rotate the secret from time to time. How can that be done? If we store the secret in a vault, then the passwords for the vault will be in all the servers. So even that doesn't help. Any ideas??
Asked
Active
Viewed 1,098 times
1 Answers
1
Most commonly RSA256 is used to sign tokens with an asymmetric key so that:
- Authorization Server knows the private key
- Anyone (including APIs) can download the public key from the Authorization Server's JWKS endpoint,band use that to validate tokens
If symmetric keys are used, then APIs will not be able to validate tokens in memory, though they can use introspection to validate tokens, as in Step 16 of my blog post.
Gary Archer
- 22,534
- 2
- 12
- 24