简体繁体 English

Spring Cloud Security JWT：使用配置服务器/密钥轮换分发公钥

[英]Spring Cloud Security JWT: Distribute Public Key using Config Server / Key Rotation

原文 2018-08-21 11:11:45 0 2 spring/ jwt/ spring-cloud/ spring-cloud-config/ key-pair

How do you manage your Private / Public Keys for signing / validating JWTs in Spring Cloud environment? 如何在Spring Cloud环境中管理用于签署/验证JWT的私钥/公钥？

The "problem": 问题”：

At the moment I generate a Key Pair. 目前我生成一个密钥对。 Then copy Private + Public Key to my auth-server application. 然后将Private + Public Key复制到我的auth-server应用程序。 And also copy the Public Key to each and every Resource Server. 并将公钥复制到每个资源服务器。

When I now want to implement "Key Rotation" I have to somehow populate the new keys to every service. 当我现在想要实现“密钥轮换”时，我必须以某种方式为每个服务填充新密钥。

The idea: 想法：

Maybe I could use the spring-cloud-config-server to store and distribute the Key Pairs? 也许我可以使用spring-cloud-config-server存储和分发Key Pairs？

The config server already provides database login credentials. 配置服务器已提供数据库登录凭据。 So why not store even more sensitive information there? 那么为什么不在那里存储更敏感的信息呢？

Question(s): 问题（S）：

If this is the way to go: How would you implement the key pair distribution with spring-cloud-config-server ? 如果这是要走的路：你如何使用spring-cloud-config-server实现密钥对分发？

Do you have any security concerns? 你有任何安全问题吗？

How did you solve this problem? 你是怎么解决这个问题的？ I guess there are better solutions. 我想有更好的解决方案。

EDIT: 编辑：

Maybe there's some solution using Spring Oauth's security.oauth2.resource.jwt.keyUri property for JWKs? 也许有一些解决方案使用Spring Oauth的JWKs的security.oauth2.resource.jwt.keyUri属性？

2 个解决方案

First of all, I would had a gateway to hide the JWT mechanism. 首先，我会有一个隐藏JWT机制的网关。 It will allow you to revoke tokens from the gateway. 它允许您从网关撤消令牌。 If an user know about his token, you can't revoke it without revoke the public key. 如果用户知道他的令牌，则不能在不撤销公钥的情况下撤销该令牌。 It will look like this : 它看起来像这样：

It's easy to implement with zuul's filters and session-scoped beans. 使用zuul的过滤器和会话范围的bean很容易实现。

Secondly, has you said it in comments, you can simply create a new private key to generate new tokens. 其次，如果你在评论中说过，你可以简单地创建一个新的私钥来生成新的令牌。 But all your resource servers must be able to read all the previously generated tokens. 但是所有资源服务器必须能够读取以前生成的所有令牌。 So you need to have a list of public key on each resource servers, and each time you receive a request, you must try to verify it with each public key. 因此，您需要在每个资源服务器上都有一个公钥列表，每次收到请求时，都必须尝试使用每个公钥进行验证。 Maybe you can had a public key id (and put the id on each generated token) to avoid to do dumb look for this task. 也许你可以拥有一个公钥ID（并将id放在每个生成的令牌上），以避免对这个任务进行愚蠢的查找。

For key distribution, use spring cloud bus and rabbit mq seems right to me. 对于密钥分发，使用spring cloud总线和rabbit mq似乎对我来说。

You should consider the use of Spring Cloud Consul Config instead: 您应该考虑使用Spring Cloud Consul Config ：

Consul provides a Key/Value Store for storing configuration and other metadata. Consul提供用于存储配置和其他元数据的键/值存储。 Spring Cloud Consul Config is an alternative to the Config Server and Client. Spring Cloud Consul Config是Config Server和Client的替代方案。 Configuration is loaded into the Spring Environment during the special "bootstrap" phase. 在特殊的“bootstrap”阶段，配置被加载到Spring环境中。 Configuration is stored in the /config folder by default. 配置默认存储在/ config文件夹中。 Multiple PropertySource instances are created based on the application's name and the active profiles that mimicks the Spring Cloud Config order of resolving properties. 基于应用程序的名称和模拟Spring Cloud Config解析属性顺序的活动配置文件创建多个PropertySource实例。

You can POST to /refresh to update your key, or watch for changes : 您可以POST /刷新以更新密钥，或者监视更改：

The Consul Config Watch takes advantage of the ability of consul to watch a key prefix. Consul Config Watch利用领事的能力来观看密钥前缀。 The Config Watch makes a blocking Consul HTTP API call to determine if any relevant configuration data has changed for the current application. Config Watch进行阻塞Consul HTTP API调用，以确定当前应用程序是否有任何相关配置数据已更改。 If there is new configuration data a Refresh Event is published. 如果有新配置数据，则发布刷新事件。