OIDC signing key resource API
Closed this issue · 0 comments
muhlemmer commented
As an admin I want to be able to create, rotate and disable signing keys for OIDC tokens manually. Keys only exist on instance level, as they represent the issuer (instance domain).
Acceptance criteria
api/grpc
- Permission:
iam_key_manager - Create signing key API: creates and stores a keypair. The private key is initially inactive to allow for ahead-of-time creation.
- List signing keys: list metadata and status of all keys. No keydata!
- Activate key: set a primary key as the active signing key. Un-sets the previously active key.
- Delete key: delete the keypair. Only non-active keys can be deleted.
Instance creation
- 2 keypairs are generated on instance creation
- 1 private key is set as active key
Feature flag
- Key management behind feature flag.
- When the feature flag is enabled, generate keys as per instance creation.
Storage
- The key's ID must match the aggregate ID
- The resource owner is the instance
- Private key is encrypted
- Public key is plain