docs.duendesoftware.com icon indicating copy to clipboard operation
docs.duendesoftware.com copied to clipboard
verified publisher icon DuendeSoftware

Add docs on how to migrate key material

Open wcabus opened this issue 7 months ago • 2 comments

When transitioning from RS256 to X.509 key containers, you could theoretically reuse the existing key material to not invalidate active tokens or sessions. At the moment, there is no way to easily migrate the key material.

Can we add some guidance to our docs?

wcabus avatar May 12 '25 09:05 wcabus

Suggestion by Anders: look into the IValidationKeysStore rather than migrating key material. It's better to (still) announce deprecated key material which is still valid for validating existing tokens than to replace key material

wcabus avatar May 12 '25 11:05 wcabus

See also https://docs.duendesoftware.com/identityserver/fundamentals/key-management, which has guides on various key rotation scenarios.

josephdecock avatar May 13 '25 04:05 josephdecock

We found out (when dealing with the support issue that triggered adding this task) that switching from RS256 to RS256 + X.509 does keep the old RS256 key available for validation purposes. The issue at hand was that multiple containers were creating the new key material simultaneously, giving the effect of having two new X.509 signing keys.

Not sure if we actually need to update our docs to address this.

wcabus avatar Jun 17 '25 13:06 wcabus

Let's close for now

maartenba avatar Jun 17 '25 13:06 maartenba