IBM Security Verify

Shape the future of IBM Security Verify

We invite you to shape the future of IBM, including the product roadmap, by submitting ideas that matter to you the most.

Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Submit a private idea

If you have confidential information or customer data to share with your idea, then - DO NOT submit using the link below, instead - please open a private feature request.

And finally - if its an issue with expected behaviour, a product defect or a support need, open a Support Case

Json Web Key (JWK) need support automatically key rotation

Today Verify does not automatically , which is the best practice recommended by National Institute of Standards and Technology (NIST).

Here are two common key rotation algorithms

  1. JWKS contains previously used key and active key. When new key is active, current key becomes previous key
    Keys: [
    {previous used JWK ),
    {current active JWK}

  2. JWKS contains 3 keys
    Keys: [
    {previous used JWK ),
    {current active JWK},
    {future JWK}

Note 1: The "Previous used JWK" is included so that previous issued token continue to work. However, this key should be removed after certain time, usually wait until all issued JWT expires since last key is rotated.

It is also acceptable without including previous used JWK as most RPs today expect jwk is rotated constantly, and knows how to react to key rotation.

Note 2: The 'kid' has to be unique for each new key, so RP can locate the key by the unique kid. Most RP relies the uniqueness of kid to support key rotation.

I see Verify today hardcodes 'kid' as 'server', which has to be changed to a unique identifier in order for RP to support key rotation

  • Guest
  • Nov 8 2021
  • Future consideration
  • Guest commented
    8 Nov, 2021 05:15pm

    no preserving previous used jwk may be okay, as most RP today usually would cache old key for certain time, and expects key will be rotated

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.