Reputation: 388
Why there are primary and secondary certificates for JWT verification in light-4j
When enabling light-4j security, there are two files that need to be in the config folder for JWT verification. primary.crt and secondary.crt. I am wondering why there are two certificates for JWT verification.
Upvotes: 2
Views: 230
Answers (1)
Reputation: 388
primary and secondary certificates are for OAuth 2.0 JWT verification. And these certification supposed to be rotated based on the time or number of tokens signed. Once the new certificate is used on OAuth 2.0 provider, all new tokens will be signed by the new certificate which is indicated in the JWT header kid field. However, there are old tokens signed by the previous certificate still valid and cached on the clients and can be sent to the service. That is why we have two certificates during the transition period. After 15 minutes (configurable on the OAuth 2.0 provider), all old tokens are expired, the old certificate can be removed from the configuration but it won't hurt to leave there. If you are using light-oauth2 as your OAuth 2.0 provider, you don't need to keep these certificates in your configuration as services can call the light-oauth2 key distribution service to get the public key certificate the first time it receives a token. More details can be found at https://www.networknt.com/concern/security/
Upvotes: 1
Related Questions
- JWT differences between jose4j and jjwt dependencies in Spring
- Why are there two certificates at the oauth endpoint?
- JWT authentication concept
- Why JWT Token signing key is required
- Confusion regarding JWT authorisation
- JJWT dependency confusion
- Why does AWS Cognito use multiple public keys for JWTs?
- How to customized JWT verification in light-4j
- Relationship between OAuth and JWT
- How is JWT related to OAuth?