Documentation
¶
Overview ¶
Example 09: Key Rotation with Grace Periods.
In production, signing keys must be rotated periodically without breaking tokens that were issued with the old key. OneAuth uses `KidStore` + `CompositeKeyLookup` to keep the old key valid for a grace window after rotation.
Two-process architecture:
make serve # auth :8081 (registration + rotation), resource :8082 make demo # walkthrough that drives rotation in-process
In --serve mode an admin can drive rotation by hand:
POST /apps/dcr → returns client_id + client_secret (kv1)
POST /apps/{id}/rotate → returns new client_secret (kv2),
old key sticks in KidStore for grace period
GET /resource (Bearer token) → validates against KeyStore + KidStore
See: https://www.rfc-editor.org/rfc/rfc7517 (JWK)
Click to show internal directories.
Click to hide internal directories.