Spring Cloud Security JWT: Distribute Public Key using Config Server / Key Rotation

Question

How do you manage your Private / Public Keys for signing / validating JWTs in Spring Cloud environment?

The "problem":

At the moment I generate a Key Pair. Then copy Private + Public Key to my auth-server application. And also copy the Public Key to each and every Resource Server.

When I now want to implement "Key Rotation" I have to somehow populate the new keys to every service.

---

The idea:

Maybe I could use the spring-cloud-config-server to store and distribute the Key Pairs?

The config server already provides database login credentials. So why not store even more sensitive information there?

---

Question(s):

If this is the way to go: How would you implement the key pair distribution with spring-cloud-config-server?

Do you have any security concerns?

How did you solve this problem? I guess there are better solutions.

---

EDIT:

Maybe there's some solution using Spring Oauth's security.oauth2.resource.jwt.keyUri property for JWKs?

Answer 1

First of all, I would had a gateway to hide the JWT mechanism. It will allow you to revoke tokens from the gateway. If an user know about his token, you can't revoke it without revoke the public key. It will look like this :

It's easy to implement with zuul's filters and session-scoped beans.

Secondly, has you said it in comments, you can simply create a new private key to generate new tokens. But all your resource servers must be able to read all the previously generated tokens. So you need to have a list of public key on each resource servers, and each time you receive a request, you must try to verify it with each public key. Maybe you can had a public key id (and put the id on each generated token) to avoid to do dumb look for this task.

For key distribution, use spring cloud bus and rabbit mq seems right to me.

Answer 2

You should consider the use of Spring Cloud Consul Config instead:

Consul provides a Key/Value Store for storing configuration and other metadata. Spring Cloud Consul Config is an alternative to the Config Server and Client. Configuration is loaded into the Spring Environment during the special "bootstrap" phase. Configuration is stored in the /config folder by default. Multiple PropertySource instances are created based on the application’s name and the active profiles that mimicks the Spring Cloud Config order of resolving properties.

You can POST to /refresh to update your key, or watch for changes:

The Consul Config Watch takes advantage of the ability of consul to watch a key prefix. The Config Watch makes a blocking Consul HTTP API call to determine if any relevant configuration data has changed for the current application. If there is new configuration data a Refresh Event is published.