[FEATURE] Support multiple keys in JWT configuration #4613
Assignees
Labels
enhancement
New feature or request
triaged
Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Comments
stephen-crawford
added
enhancement
cwperks
added
triaged
|
[Triage] Thank you for this feature request @stephen-crawford. This sounds like a good feature to have. Marking as triaged. |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Currently, OpenSearch only supports a single key for JWT verification at any time. When you configure JWTs, you specify the key and that is the only key which your requests can be verified against. This leads to downtime for the cluster when you want to rotate your keys. Because updating the security configuration is not an instantaneous process, you will experience a period of time when no valid key is available for you to send JWT requests with.
What solution would you like?
It would be great if multiple JWT keys could be stored at a time. This means that you could rotate a key without losing access to the cluster. Since there would be multiple keys when you need to rotate one key you can use the other key to send your requests. This avoids the period of time where there is not a valid key for your requests to be auth'd against.
What alternatives have you considered?
Leaving things as is is always an option but fails to resolve the downtime problem. Figuring out a way to make the security configuration updates instantaneous would also solve this problem but that is a larger change and one that is far less likely to be completed.
The text was updated successfully, but these errors were encountered: