mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 12:37:00 +01:00
d7834b52e6
This completely reworks how we approach and handle cryptographic keys in Kanidm. This is needed as a foundation for replication coordination which will require handling and rotation of cryptographic keys in automated ways. This change influences many other parts of the code base in it's implementation. The primary influences are: * Modification of how domain user signing keys are revoked or rotated. * Merging of all existing service-account token keys are retired (retained) keys into the domain to simplify token signing and validation * Allowing multiple configurations of local command line tools to swap between instances using disparate signing keys. * Modification of key retrieval to be key id based (KID), removing the need to embed the JWK into tokens A side effect of this change is that most user authentication sessions and oauth2 sessions will have to be re-established after upgrade. However we feel that session renewal after upgrade is an expected side effect of an upgrade. In the future this lays the ground work to remove a large number of legacy key handling processes that have evolved, which will allow large parts of code to be removed. |
||
|---|---|---|
| .. | ||
| apache_oauth | ||
| systemd | ||
| config | ||
| config_localhost | ||
| iam_migration_ldap.toml | ||
| insecure_server.toml | ||
| kanidm | ||
| kanidm-ipa-sync | ||
| kanidm-ldap-sync | ||
| server.toml | ||
| server_container.toml | ||
| unixd | ||
| unixd.macos | ||
| wifi-blackhats.mobileconfig | ||