-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support describing security keys in OAS #1881
Comments
I realize that we want to make this forward thinking and not lock ourselves into one implementation but JSON Web Keys (JWK) allow for describing all key types I interact with. So my question is can't we treat JWK as the description format for security keys and go from there? |
Conversely, if we find that JWKs satisfy all likely general requirements for secure-keys, can't we still use a more generic term for both the property which defines or points to one, and the same for the container within |
Agreed. I want the top-level security key properties to be implementation agnostic. |
A JWT describes a cryptographic instance. We need to describe the space of acceptable cryptographic instances. For example, an API may accept requests signed using RS256, RS384, and RS512. That would require three different JWT objects. What if we tried a JWT-like structure describing the names and valid values for the JOSE JWE and JOSE JWS parameters as well as the JWT claims? Each entry could identify the parameter/claim name and list the valid values for the entry. It should also indicate if it is protected or unprotected. |
I'm not following, JWS already has a "JWT-like" structure where the algorithm and key details are describes. So what's missing? |
First of all, JWT describes the encryption operations that HAVE been performed. We need to describe the operations that CAN be formed. For example, how do I tell a user that they can use HS256, HS384, or HS512 to generate their signatures? Second, OpenAPI is not restricted to JSON payloads. If I support XML signatures, how do I tell users which canonicalization algorithms my API supports? I'm not saying that JWT is not a good place to start. But there is still more to do. |
I think your crossing the streams, if I understand you correctly. I'm talking about JSON Web Keys (JWS) and not JSON Web Tokens (JWT). You're right about JWT, they are encrypted/signed and the JWT self-describes what was used to encrypt/sign the key. My proposal is for defining JWS (not JWT) that are used for secure interactions with an API, like a JWS used to verify a JWT or like a JWS used to encrypt/sign a request/response. How an operation dictates that it's encrypted/signed, and how, is a consumer of keys and is yet to be decided. Security Schemes will need a way to consume keys as well. |
@whitlockjc I think you need to expand your example to include the following (oneOf jwk or jwks_uri): security:
jwks-oath:
type: http
scheme: bearer
bearerFormat: JWT
jwks_uri: https://example.com/.well-known/jwks.json This then works with Oauth2 providers that use JWTs and enables using JWKs with remote look up for key rotation. |
As an addendum to this, a good shout would be to ensure that the jwks_uri can be reflective of different environments in an API providers promotional model. For example, in the EU many banks are implementing JWKS for PSD2/open banking and they have several JWKS across their sandbox and production. For those doing OpenID Connect obvs it can be defined and exposed in Discovery endpoint but for those not this would be a good feature. Simplest approach probably in the style of a Server object I guess |
Often times when interacting with APIs, security keys are involved. From a JWT perspective, keys are used for encrypting, signing and verifying tokens. In issue #1464, keys are used for encrypting and signing requests/responses. I would like to propose that we officially support describing security keys in OAS, starting with JSON Web Keys.
Shooting from the hip, here is a first-pass example:
As you can see, each key has three common properties:
description
: A human-readable description of the keytype
: The type of the key (One could argue that JSON Web Keys are capable of describing any key and only JSON Web Keys should be supported but for now, this value would be free-form and it would be tooling specific as to how the values are validated.)metadata
: This is the information describing the key based on the key type (This field must be free-form to allow for future expansion)Once we have a common way to describe security keys, you have the ability to reference them using JSON References to use. Here are two examples:
Signed Reqeusts/Responses (#1464)
JWT-based Security Scheme
Note: This example uses a JWT-based Security Scheme that DOES NOT exist yet and is only for example purposes. There is an ongoing discussion about supporting JWT for security in OAS but this is not indicative of what will be supported if/when a decision is made.
Now that we have some examples, let's get the conversation started.
The text was updated successfully, but these errors were encountered: