I'm using JWT as a container for access tokens, and want to add the rotation of the signing keys. I found that Data Protection API provides this functionality out-of-the-box.
While DP API is the interface to (symmetric) encrypt/decrypt the data, JWT should be signed, so they are incompatible originally.
Would it be secure to have such flow:
- JWT
kidto store the Key Id from DP API - DP API to auto-rotate keys based on the time policy
- JWT to use a custom
IssuerSigningKeyResolverto retrieve the raw key from DP API bykidvalue
That means that all existing/expired keys can be used to validate any token. To invalidate the token, the key can be revoked/deleted from DP API key ring.
A custom invalidation logic for distributed applications: reload the keyring on token validation error, so the instance can get the most recent key that was generated by another instance.
My concerns:
- Microsoft does not recommend using IKeyManager directly
Developers should very rarely (if ever) need to use the key management APIs directly
But I'm not sure where it is related to the key access rather than rotation management
2. Exposing the key id within kid JWT header. I don't see a security issue here, but it does not mean there is no such
3. There is no a simple way to access the key buffer
Did anyone try to do something similar? Is there a simple strategy for the key rotation/management?
