Samples icon indicating copy to clipboard operation
Samples copied to clipboard

Published 20 hours ago verified publisher icon DuendeSoftware

Azure KeyVault for signing sample

Open leastprivilege opened this issue 2 years ago • 1 comments

  • get public key from KV
  • use KV for signing tokens

leastprivilege avatar Jan 19 '22 08:01 leastprivilege

I have looked into how to use the KeyVault for signing tokens and I ran into a couple items:

  1. KeyVault has a 2000 request per 10 second hard limit. My thought was to build a solution that allowed multiple KeyVaults to be hooked up to scale past the rate limit when approaching that request rate. It would require retrieving the public key from all connected KeyVaults. https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits https://docs.microsoft.com/en-us/azure/key-vault/general/overview-throttling
  2. All of the examples I found for using the KeyVault to sign tokens were based on the premise of only one signing algorithm, and that created potential difficulties if specific certificates were used for specific algorithms. There needs to be one implementation of ISigningCredentialStore per signing algorithm, and the DefaultTokenCreationService needs to know the correct certificate URL to use based on the requested signing algorithm.

amadard avatar Apr 22 '22 21:04 amadard