JSON Web Keys (JWK):在 Zalando 旋转加密密钥
Static secrets are evil. Whether secret keys hard-coded in source code, tokens without expiry or plaintext API keys referenced in configuration files, static secrets are ticking time bombs. The same is true for cryptographic key material in the context of JSON Web Tokens (JWTs) and OpenID Connect (OIDC).
静态秘密是邪恶的。无论是硬编码在源代码中的秘密密钥、没有过期的令牌,还是在配置文件中引用的明文 API 密钥,静态秘密都是定时炸弹。在 JSON Web Tokens (JWTs) 和 OpenID Connect (OIDC) 的背景下,情况也是如此。
At Zalando, our customer authentication experience team takes protecting our customers' data and their digital identities seriously. Part of our toolbox is an OpenID Connect (OIDC)-based identity provider (IdP). A key aspect of this system's security is the regular rotation of cryptographic keys, which we've automated to ensure the ongoing safety of our platform.
在 Zalando,我们的客户身份验证体验团队非常重视保护客户的数据和数字身份。我们工具箱的一部分是基于 OpenID Connect (OIDC) 的身份提供者 (IdP)。该系统安全性的一个关键方面是定期轮换加密密钥,我们已将其自动化,以确保我们平台的持续安全。
This article aims to shed light on why we rotate cryptographic keys, how the periodical JWK rotation process works, and what it means for customers.
本文旨在阐明我们为何轮换加密密钥,定期 JWK 轮换过程是如何工作的,以及这对客户意味着什么。
What are JSON Web Keys (JWKs)?
什么是 JSON Web 密钥 (JWKs)?
JSON Web Keys (JWKs) are an essential part of the JSON Object Signing and Encryption (JOSE) standards family and the backbone of token-based authentication and authorization frameworks like OIDC. JWK standardises the representation and management of cryptographic keys (RFC 7517). Its JSON data structure allows the exchange of public keys in a web-native format.
JSON Web Keys (JWKs) 是 JSON 对象签名和加密 (JOSE) 标准系列的重要组成部分,是基于令牌的身份验证和授权框架(如 OIDC)的支柱。JWK 标准化了加密密钥的表示和管理(RFC 7517)。其 JSON 数据结构允许以网络原生格式 交换公钥。
Identity providers (IdPs) like ours commonly use JWKs to distribute public key material via well-known and specified URIs. Clients can use the key material to e.g. verify digitally signed JSON Web Tokens (JWTs) issued by the IdP. These tokens contain information about users and their access rights, and their integrity is crucial for preventing unauthorized acc...