Skip to content

JSON Signing and Encryption#

Janssen uses keys for signing and encryption, primarily concerning JSON documents. There are six IETF RFCs that provide considerable detail:

Auth Server Supported Signing#

JWT Type Algorithms
DPOP RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
Authorization HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, ES512, PS256, PS384, PS512
Request Object HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
Userinfo HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
Token Endpoint Auth HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
ID Token HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512

Auth Server Supported Encryption#

Encryption Methods Algorithms
Authorization A128CBC+HS256, A256CBC+HS512, A128GCM, A256GCM
id_token A128CBC+HS256, A256CBC+HS512, A128GCM, A256GCM
Request object A128CBC+HS256, A256CBC+HS512, A128GCM, A256GCM
Userinfo A128CBC+HS256, A256CBC+HS512, A128GCM, A256GCM
Encryption Algorithms Algorithms
Userinfo RSA1_5, RSA-OAEP, A128KW, A256KW
id_token RSA1_5, RSA-OAEP, A128KW, A256KW
authorization RSA1_5, RSA-OAEP, A128KW, A256KW
request object RSA1_5, RSA-OAEP, A128KW, A256KW

Java Cryptographic Engine (JCE)#

Janssen projects ships and tests with the Bouncy Castle Crypto API's JCE. However, you may substitute your own JCE as long as it has implementations for the algorithms used by Auth Server.

Key Rotation#

OpenID Connect clients must support the rotation of both signing and encryption keys. The best practice is to rotate often--the default configuration in a VM installation of Auth Server is every two days. The reason for such a frequent rotation is to make sure developer account for rotation at the time they create applications--lest they forget and their software breaks a year later when rotation happens.

In a single VM deployment, key rotation is controlled by Auth Server. But in a clustered deployment, key rotation has to happen centrally. Janssen includes a key rotation service for cloud deployments.

Certificates#

X.509 is used extensively for web server TLS. But it is also used for Mutual Transport Layer Security (MTLS), either initiated by a software client, or presented by a person (i.e. a personal certificate). MTLS is generally implemented in the web tier.

FIPS#

To support FIPS 140-2 conformance, you must use a FIPS approved JCE, and preferably, use an operating system that has FIPS Enforcement, like RHEL 8.


Last update: 2024-01-30
Created: 2022-07-21