This page is for Authlete 2.x. For current (3.0) documentation, see this page.
Handling Crypto Material
Declaring the keys on services
OpenID Connect servers are required to issue ID Tokens and very often OAuth servers are required to issue access tokens in JWT format. Those formats are required to be signed and optionally encrypted, and as a requirement for signing and encrypting, the server is required to possess private keys and make public keys available to clients. The Authlete Terraform provider allow public and private keys to be defined in hcl scripts using thejwk objects. Those
objects must be defined on authlete_service and authlete_client scope and the semantics of the tag is straightforward: if
the object is defined on an authlete_server, it represents a key possessed by the server, and if defined on an authlete_client it
represents a key possessed by the client.
The jwk takes a format as below, where the first jwk block is an elliptic curve to be used for signing the access token,
and the second block is a symmetric key to be used for encryption.
key_material folder), the output will be as below:
Random generated keys
Supported Algorithms and Curves for key generation
The rule of thumb for private keys is that the exposure should be minimal or none at all. This means that creating keys on systems with proper randomness and moving it to the server is quite a challenge. In order to reduce the exposure, the Terraform provider can generate keys and configure the Authlete server with that. For RSA cryptosystem, the provider supports generating keys for all the algorithms:RS256, RS384, RS512, PS256,
PS384, PS512, RSA-OAEP, and RSA-OAEP-256. The supported Elliptic-curve algorithms are: ES256, ES384, ES512, ECDH-ES,
ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, Ed25519, and X25519.
The declaration of a key in Terraform scripts is as simple as it can gets: you declare the key, include the attribute generate
as true, and omit the key attributes. When provisioning the service in Authlete the provider will identify which
keys are to be generated or removed from the server and act accordingly.
Declaration of a key to be generated is done like below:
RSA keys
RSA cryptosystem is quite established, pervasive, and key generation is very well-known, but the Authlete provider can handle that for you, independent of the key size. The example below, fromrsa_key_gen folder of authlete-terraform-samples
project, shows the declaration of RSA keys of multiple sizes and usages.
The declaration below can generate different keys on the server.
x5c attribute is not populated, as the certificate itself is not present.
Elliptic Curve keys
The key generation in Elliptic Curve space is less well understood as the adoption of EC is increasing and the math behind it is more complex with increasing coverage in the computer science syllabus. Independent of the complexity, the Authlete Terraform provider hides that from you, as for the RSA keys: you declare a key to be generated, the algorithm, and the curve to be used, and it will be generated for you. Some attributes are common to RSA keys, likekid, kty, alg, and use, while crv is a specific attribute for this
type of key.
As sample of configuration you can check the ec_key_gen folder on the Authlete Terraform samples project. In the example
below, you have all sorts of Elliptic Curve keys declared, including EdDSA algorithm with Curve25519 curve.
PEM support
If you need to use sign and/or encryption keys associated with signed certificates, you will be required to create the keys, create the certificate, and CSR externally to Authlete. To reduce the exposure of the private key, the Authlete provider supports key in PEM format, either RSA or EC keys. The provider does the conversion locally and submits in JWK format to the Authlete server. The attribute used if thepem_private_key and the declarations are as below:
file function or the local_file
provider for that. Using the file function, the declaration will be much cleaner, as below:
Key Rotation
There are 3 concerns that key rotation needs to address:- keys are required to be considered weaker as time goes by and tokens are signed or encrypted using it,
- the clients cache the JWK responses (usually not respecting the Cache-Control header directive),
- the valid tokens will not become invalid just after the keys are changed.
- establish a time-to-live of the key and enforce it,
- introduce the new key with proper time for clients that have that in cache,
- change the key used,
- after reasonable time, remove the previous key.
main.tf as below and applying the changes:
main.tf
as below:
ec2 to sign tokens, but will still consider tokens
signed by ec1 as valid.
When the time has come for dropping support for tokens signed by ec1, just go ahead and delete the entry as below:
ec1 key is gone from JWK and the tokens signed by that key are not valid.