Jwks

[antonioT90]

List of changes

jwks file generation with jwt certificate

Motivation and context

Type of changes

• Add new resources
• Update configuration to existing resources
• Remove existing resources

Env to apply

• DEV
• UAT
• PROD

Does this introduce a change to production resources with possible user impact?

• Yes, users may be impacted applying this change
• No

Does this introduce an unwanted change on infrastructure? Check terraform plan execution result

• Yes
• No

Other information

---

If PR is partially applied, why? (reserved to mantainers)

[pasqualedevita]

maybe it's better an EC algorithm or more length RSA key 4096

[pasqualedevita]

@pp-ps have u a suggestion for algorithm/key length?

[pp-ps]

As long as the call to forge a token (signed with this key) is authenticated and observable in metrics, I don't have any strong bias against RSA. EC verification (for receiveing systems) is much more expensive.

RSA 2048 bit looks fine too, as long as the key is periodically rotated (1y?, let's think about it as if it's an expiring certificate)

What I find strange is the choice to pack everything in a azurerm_key_vault_certificate. Why can't we use a azurerm_key_vault_key?

[pasqualedevita]

@antonioT90 can u try to use azurerm_key_vault_key?
with azurerm_key_vault_key u can retrieve
n - The RSA modulus of this Key Vault Key
e - The RSA public exponent of this Key Vault Key
and remove python script

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#attributes-reference

[antonioT90]

@pasqualedevita i'm not able to retrieve the private key generated using key_vault_key, we need it in order to firm JWT token in hubSpidLogin application

[antonioT90]

same answer to @pp-ps! the use of key_vault_key will not allow me to read the private key generated

the use of azurerm_key_vault_certificate is due to transform the private and public keys into a X509 certificate, simplifying the calculation of thumbprint

[antonioT90]

regarding the rotation of the keys, there is a problem due to the inability to replace a previous version of a key: actually I obtain an error due to the safe delete feature enabled which will not allow to perform a delete and purge of previous value...

[pasqualedevita]

LGTM, @pp-ps ?

[pp-ps]

I hear we need to speed up deployment of this, let's go ahead and refactor later.

• line 46 in jwksFromPems.py is way too complex
• if we move away from self-signed certs, we can avoid PEMs and so x5c and x5t (use raw keys)

Approving for now.