16.5.1OpenId Connect Keystores

 

SmileCDR issues JWTs as Access Tokens. These tokens are signed by JWKS so that consuming resource providers can verify the authenticity of the token for accessing any given resource.

Keystores provide a convenient way to manage key lifecycles.

Each keystore allows defining a set of keys either as json text, or via a path to a file that contains said keys.

Keystores can then be updated with new values to keep resources secure.

When saving a keyset, if multiple keys are provided, the first will be used as the primary key for signing all newly issued keysets.

NB: When updating keys, it's advisable to keep the previous primary key along with a newer key, so that existing issued tokens still remain valid until refresh.

16.5.1.1Creating Keystores

Keystores can be created by accessing the Config OpenID Keystores menu.

A Keystore consists of a Keystore Id, and either JWKS Text (the raw JSON text of the JWKS to use) or a path to a file containing the JWKS.

The Keystore Id must consist only of alphanumeric characters, underscores, hyphens, and no white space (a-z, 0-9, _, -). It is not editable.

JWKS Text is the raw JSON text of the Key set. It can be provided, or left blank if a file path is provided instead.

JWKS file path is the path to the keyset. If defined, it will be given priority over raw text fields.

16.5.1.2JSON Web KeySet (JWKS) for Signing Tokens

In order to generate OpenID Connect Access Tokens, this module requires a JSON Web Key Set (JWKS). This keyset is used to sign the tokens that are generated so that Resource Servers may verify and ultimately trust that they are legitimate.

Note that anyone who is in possession of the key used here is able to generate access tokens. For this reason it is very important that the key be safely stored.

There are a number of tools that can be used to generate JWKS files. One popular option is the MKJWK tool maintained by the MIT Kerberos and Internet Trust. The steps below show how to create a JWKS file using the online version of their tool; however, for increased security you may wish to download a copy and use it locally:

  • Navigate to https://mkjwk.org/
  • Select the RSA tab with a key size of 2048 (this is the default, which should be sufficient for most purposes)
  • Select a Key Use of Signing
  • Select an algorithm (the default of RS256 should be sufficient)
  • Enter a meaningful key ID ()e.g. my-openid-token-signature)
  • Click "Generate New Key"

Once a key is generated, copy its value to the Signing JWKS textbox of an existing or new Keystore, or save it to a file in the Smile CDR classes directory. In the latter case, the field should be prefixed with classpath as follows: classpath://[filename].

Note that a JWKS file will have contents similar to the following:

{
  "keys": [
    {
      "kty": "RSA",
      "d": "cSYq2di [trimmed]",
      "e": "AQAB",
      "use": "sig",
      "kid": "test",
      "alg": "RS512",
      "n": "mVuJygm [trimmed]"
    }
  ]
}