Rotating keys and caching
16 views
Skip to first unread message
Stéphan Kochen
Nov 28, 2016, 11:15:49 AM11/28/16
to Portier
Hey everyone,
Today I tried to setup key rotation for a Portier install. However, in the current implementation of things, this may cause clients to shortly reject tokens signed with the new key.
We set no cache headers in the broker, but the Node.js and PHP libraries enforce a minimum cache time for discovery and keys documents. As a result, the clients we’re running didn’t know about the new key and rejected it.
What would be the best way to approach this? It seems unwise to have clients hit the broker for every login, even if we could use validation headers like If-Modified-Since. I’m thinking: throw away the cache and refetch keys only if we encounter a new key ID?
Alternatively, we could also turn this into a broker issue. There’s an open issue to add cache headers (#41) including Cache-Control, but once we start sending that, we must also use the max-age period as a grace period, during which we only introduce the new key, but keep using the old key.
We could add a ‘don’t use before’ time to each key, but it’d complicate configuration quite a bit.
Thoughts?
— Stéphan Kochen
Today I tried to setup key rotation for a Portier install. However, in the current implementation of things, this may cause clients to shortly reject tokens signed with the new key.
We set no cache headers in the broker, but the Node.js and PHP libraries enforce a minimum cache time for discovery and keys documents. As a result, the clients we’re running didn’t know about the new key and rejected it.
What would be the best way to approach this? It seems unwise to have clients hit the broker for every login, even if we could use validation headers like If-Modified-Since. I’m thinking: throw away the cache and refetch keys only if we encounter a new key ID?
Alternatively, we could also turn this into a broker issue. There’s an open issue to add cache headers (#41) including Cache-Control, but once we start sending that, we must also use the max-age period as a grace period, during which we only introduce the new key, but keep using the old key.
We could add a ‘don’t use before’ time to each key, but it’d complicate configuration quite a bit.
Thoughts?
— Stéphan Kochen
Reply all
Reply to author
Forward
0 new messages