JWT signing key rotation

I’m planning on using JWT authentication using RSA. Is it possible to periodically change the signing RSA key without causing disruption? I can only see it’s possible to allow OpenSearch to trust one public key for validating JWTs.

@jimmyjones You mean replacement of signing_key in config.yml?

@pablo Yes. I’d have thought I should be able to add a second, start issuing JWTs from the new signing key, then remove the original once all previous JWTs have expired. However it seems impossible to add two - or is there another way of achieving the same outcome?

@jimmyjones This field is not an array then you can’t configure more than one signing key.
You’ll need to use securityadmin.sh script to update the singing key every time it changes. No node restart is required.

In regards to disruption, it depends on how you implement the change of the public key. If you update the config with the new public key first then your requests should be already using the new private key.

you could also look into using JWKS if your IdP supports this (or you have a way of implementing a small shim service which serves the JWKS if your IdP can’t do this).

the opensearch docs only document it for OIDC but as far as i’m aware you should also be able to use it with a pure JWT setup (i haven’t tried this yet but am also interested in this).