Key Rotation¶
Insights Hub signs JSON Web Tokens using keys that are regularly updated based on the best practices for security. Thus, any application or API that validates access tokens must regularly update the set of public keys it uses for signature validation.
You can find the valid public keys for Insights Hub operator or developer environments at: https://{tenant_name}.piam.{region}.{mindsphere_domain}/token_keys
. For more information, refer to the OAuth Authorization Server documentation.
Key Rotation Processes¶
This section describes the key rotation process, which serves as a security practice that involves replacing the cryptographic keys used for signing access tokens to minimize the risk of key compromise. There are two main types of key rotation processes: hard key rotation and soft key rotation.
Hard Key Rotation¶
Hard key rotation is a process where the old key is replaced with a new key instantly. The stages of hard key rotation are as follows:
- Initial State
Thetoken_keys
endpoint returns an array of public keys containing only one public key, e.g., a key with key ID (kid
){key_id_1}
(value may differ).
Thekid
claim in the access token header indicates that the key with key ID{key_id_1}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_1}
. - New Key is Available and Used
Thetoken_keys
endpoint returns an array of public keys containing two public keys with key IDs{key_id_1}
and{key_id_2}
(values may differ). The new key is instantly used to sign new tokens.
Thekid
claim in the access token header indicates that the key with key ID{key_id_2}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_2}
. - Old Key is removed
Thetoken_keys
endpoint returns an array of public keys containing only one public key with key ID{key_id_2}
.
Thekid
claim in the access token header indicates that the key with key ID{key_id_2}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_2}
.
Note
When evaluating the kid
claim of the access token, make sure to treat the information as coming from an untrusted source. Applications should sanitize the received value to avoid introducing attack vectors like SQL injection vulnerabilities.
Soft Key Rotation¶
Soft key rotation is a process where the new key is introduced gradually before replacing the old key. The stages of soft key rotation are as follows:
- Initial State
Thetoken_keys
endpoint returns an array of public keys containing only one public key, e.g., a key with key ID (kid
){key_id_1}
(value may differ). There may be multiple keys at this stage.
Thekid
claim in the access token header indicates that the key with key ID{key_id_1}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_1}
. - New Key is Available
Thetoken_keys
endpoint returns an array of public keys containing two public keys with key IDs{key_id_1}
and{key_id_2}
(values may differ). The new key is not used to sign new tokens yet.
Thekid
claim in the access token header indicates that the key at{key_id_1}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_1}
. - New Key is Used
Thetoken_keys
endpoint returns an array of public keys containing two public keys (as in the line above). The new key is used to sign new tokens.
Thekid
claim in the access token header indicates that the key at{key_id_2}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_2}
. - Old Key is Removed
Thetoken_keys
endpoint returns an array of public keys containing only one public key with key ID{key_id_2}
.
Thekid
claim in the access token header indicates that the key at{key_id_2}
was used for signing the token.
Access tokens must be validated using the key corresponding to key ID{key_id_2}
.
Note
When evaluating the kid
claim of the access token, make sure to treat the information as coming from an untrusted source. Applications should sanitize the received value to avoid introducing attack vectors like SQL injection vulnerabilities.
Handling Key Rotation¶
Hard key rotation and soft key rotation require services to regularly check for new key sets. Soft key rotation admits some transition time, as new key sets are announced before they are used.
Hard and soft key rotations can be handled using the following procedure:
Note
It is important to note that you can also use a library for validating JSON Web Tokens. For example, refer to https://jwt.io.
Recommended Procedures without Downtime¶
- Bootstrap the key set for token validation
Load the initial set of public keys from thetoken_keys
endpoint during start-up. - Dynamically check for new keys during token validation
Check whether the access token has been signed with a known key ID while validating an access token.
If the key ID is unknown and the set of public keys has not recently been updated, request an update from thetoken_keys
endpoint. Use the updated key set for token validation thereafter.
Note
The access rate for the token_keys
endpoint can be limited in the future.
Trouble Shooting for Handling Key Rotation¶
This section provides potential workarounds if your application or API does not support the recommended key rotation methods. These workarounds help maintain security and ensure a smooth key rotation process.
Note
Ensure that key_id_1
and key_id_2
are not mixed up during implementation.
Problem | Potential Workaround |
---|---|
When the application or API does not validate access tokens. | None required. |
It only downloads the key set during the start up. | Trigger a restart after a key rotation to get the latest key set. |
It loads the public key set from the configuration. | Reconfiguration: Update the configuration with the latest key set after a key rotation and activate the configuration, for example, by re-starting the application. |
It uses a hard-coded public key or key set. | If the application supports updating or overwriting the key or key set via configuration, refer to the Reconfiguration solution mentioned in the above line. Otherwise, change and re-validate the implementation. |
It downloads the key set but cannot handle multiple keys provided by the token_keys endpoint. | Change and re-validate the implementation. |
It cannot handle receiving tokens signed with a newly introduced key (not yet known to the application). | If the key set is downloaded from the token_keys endpoint or provided as a configuration parameter, refer to the Reconfiguration solution mentioned above. Otherwise, change and re-validate the implementation. |
It ignores the kid claim when validating the token's signature. | Change and re-validate the implementation. |
Except where otherwise noted, content on this site is licensed under the Development License Agreement.