DefaultSigner should support key rotation

[mitar]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

It looks to me like there is no simple way to rotate the keypair? DefaultSigner and its GetPrivateKey allows only one key to be returned?

Describe your ideal solution

I think DefaultSigner should also have a method like GetRotatedPrivateKeys which would be used only for validating. Similar to how there is GlobalSecret and RotatedGlobalSecrets.

Workarounds or alternatives

I could implement my own Signer but it would be better if this is part of fosite.

Version

v0.45.0

Additional Context

No response

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[mitar]

Still relevant.

[aeneasr]

I'm quite confident that key rotation works in hydra, so might be worth a look there.

[mitar]

I looked but I could not find it. The custom signer Hydra has doe not do key rotation.

[aeneasr]

But it's in the product: https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation

[mitar]

@aeneasr I looked at Hydra source code for few hours now and I do not think it key rotation really works for JSON Web Token Signing Keys. Configuring multiple keys really outputs multiple keys from JWKS discovery endpoint which allows 3rd party clients to fetch old keys and validate issued tokens. But this is not enough. Also token introspection handler in Hydra should validate against old keys if somebody provides an access token signed with an old key, but token introspection handler in Hydra only uses the first key to validate - because fosite does not support using multiple keys to validate (and one key to sign). I also could not find any test in Hydra to test this use case. So:

• Generate JWT access token and sign it with key A.
• Create new key B, configure Hydra that key B is a new primary key, while keeping key A configured as old rotated key.
• Use token introspection on previously generated JWT access token.

I have not tested this on live Hydra instance but I was reading the source code. Maybe I missed something, but I really do not see anything which would enable this behavior. I think unless a) Hydra uses completely custom Signer (but it does not) b) fosite provides this feature as part of DefaultSigner, this cannot work.