Home > Net >  Security of signing keys shared between token issuers for the same application
Security of signing keys shared between token issuers for the same application

Time:11-29

Imagine that we have one token issuer that is responsible for an OAuth Authorization Code Flow, and another that's responsible for a Client Credentials Flow that both serve JWTs exclusively to the same application. Are there excellent security reasons why these two token issuers should not use the same signing keys?

CodePudding user response:

I don't see any major security issue to share the same private signing key between the two applications. But it all depends on your security level and how you will handle the rotation and management of the keys.

However, if one of the providers is hacked, then the other is of course also vulnerable. But I think the answer is it-depends.

Many IdentityProviders supports multiple signing keys, perhaps one client requires a stronger key/singing scheme than others. Or that one system requires only RSA and some other required ECDSA keys being used.

However, you would typically use the same Identity Provider for both Authorization Code Flow and Client Credentials Flow. because the API's receiving the access tokens prefers to have a single provider to download the public keys from.

Page link:https//www.codepudding.com/net/209042.html

Prev:dynamically rename tkinter window
Next:Flutter Listview can't scroll and not display all list
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding