With v2.0.0 of Key Rotation, you can now rotate encryption keys. When JWT encryption is enabled, we recommend using the introspection endpoint to validate tokens.
Using Introspection Endpoint (Our Recommendation)
Using reference tokens and introspection is one way to avoid this issue, as the protected resource will no longer need to decrypt the access token, and can instead use a reference token to access the introspection endpoint to retrieve claim values.
Use the following example to enable reference token and introspection usage in OpenIddict.
.AddServer(options => {
// ...
options
// ... (other uri configuration calls)
.SetIntrospectionEndpointUris("connect/introspect");
// ...
});
Configure an application in OpenIddict with introspection permission. Here is an example of the configuration you may want to use. If you have AdminUI set up with your OpenIddict, you can configure this using that.
new OpenIddictApplication
{
ClientId = "resource_server_1",
ClientSecret = "fakeSecret1234",
Permissions =
{
Permissions.Endpoints.Introspection
}
};
Then, in your protected resource, you will need to set up verification so that it can verify the tokens using the introspection endpoint. Here is an example of what that may look like. (You could be using any OpenID Connect package to set this up; here I am using the OpenIddict one.)
.AddValidation(options =>
{
// ...
options.AddAudiences("resource_server_1");
// Configure the validation handler to use introspection and register the client
// credentials used when communicating with the remote introspection endpoint.
options.UseIntrospection()
.SetClientId("resource_server_1")
.SetClientSecret("fakeSecret1234");
// ...
});
Disabling JWT Encryption
Another option would be to turn off encrypted JWTs, although this may be less desirable as it would mean that the information in the JWT is readable. Adding one line to your '.AddServer' configuration action, like so, will do this.
.AddServer(options => {
options.DisableAccessTokenEncryption();
// ...
});