Lazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works

1 comments

• time4tea41 minutes ago
  The key material is in redis? Seems odd. Should be in fips 140 hsm? Else key can be stolen easy.<p>Maybe missed something.
  • nijave28 minutes ago
    How can the key be stolen easily? That really depends on the security of the Redis setup. Redis is typically not internet accessible so you&#x27;d need some sort of server exploit.<p>Would have been good if the article example showed a Redis server with TLS and password auth.
    • time4tea21 minutes ago
      Private key material should not be kept in the clear anywhere, ideally. This includes on your dev machine, serialised in a store, in the heap of your process, anywhere. Of course, it depends on your threat environment, but the article did mention pci-dss. If you put it in redis, then anyone that has access (internal baddies exist too!) can steal the key and sign something. Its hard to repudiate that.
  • a_random_name37 minutes ago
    (glanced at it so I could be wrong) They&#x27;re talking about a public key that can be used to validate the JWT&#x27;s authenticity. AFAIK there is no need to keep these secret, and it&#x27;s not possible to (without breaking public key crypto) forge them so it should be safe to store them wherever.
    • time4tea35 minutes ago
      From article:<p>Private key redis key<p><pre><code> public static string PrivateKey(string kid) =&gt; $&quot;{Root}:jwks:private:{kid}&quot;; &#x2F;&#x2F; full private material (short life)</code></pre>
      • a_random_name25 minutes ago
        TY, that seems like not the best practice.