openiddict-core icon indicating copy to clipboard operation
openiddict-core copied to clipboard
verified publisher icon openiddict

Update the server stack to support per-resource-server encryption material

Open kevinchalet opened this issue 3 weeks ago • 1 comments

Confirm you've already contributed to this project or that you sponsor it

  • [x] I confirm I'm a sponsor or a contributor

Describe the solution you'd like

It's already possible to select a specific key on-the-fly using the events model (via the GenerateToken event) to achieve that, but OpenIddict doesn't currently offer a way to do that automatically.

As part of this task, we'll likely want to support both static key material (stored as a JsonWebKeySet alongside the OpenIddict*Application DB entry representing the resource server app) and dynamic key material (represented as a new JsonWebKeySetUri property allowing to retrieve the JWKS document dynamically, using HTTP/HTTPS).

Additional context

No response

kevinchalet avatar Nov 27 '25 17:11 kevinchalet

(represented as a new JsonWebKeySetUri property allowing to retrieve the JWKS document dynamically, using HTTP/HTTPS).

Note that we may also want to combine that with https://github.com/openiddict/openiddict-core/issues/2400 to avoid hardcoding the JWKS URI and retrieve the URI dynamically using resource server metadata.

kevinchalet avatar Nov 27 '25 17:11 kevinchalet