OpenIddict Key Rotation
The OpenIddict Key Rotation component, built by Rock Solid Knowledge, provides a simple and reliable way to enable automatic signing key generation and rotation for OpenIddict.
Why Key Rotation?
Key rotation is a critical part of managing a production OpenID Connect (OIDC) system. Regular rotation of signing keys helps minimize the impact of a potential key compromise by ensuring that long-lived tokens cannot be forged using outdated or exposed keys. It also allows you to safely expire and replace credentials without disrupting client applications.
By default, OpenIddict requires signing credentials to be configured explicitly. These must typically be generated and registered in code using the appropriate configuration APIs.
Learn more about signing credentials.
If the configured credentials are asymmetric keys embedded in X.509 certificates, OpenIddict will order and select them based on their NotBefore and NotAfter dates, enabling limited rotation. However, adding or removing credentials still requires a redeployment.
The Key Rotation component automates the generation, storage, protection, and exposure of signing keys, enabling a hands-off, best-practice approach to credential lifecycle management.
To get started, request a demo or visit the installation guide.