Skip to content

[Feature] Implement JWKS - Establish RS256 JWT authentication system based on AWS KMS/Secrets Manager #5

Description

@psh9508

Overview

Transition from the current HS256 symmetric key-based JWT authentication to RS256 asymmetric key-based authentication, and establish an enterprise-grade key management system utilizing AWS KMS and Secrets Manager. A JWKS endpoint will be provided to allow external services to verify JWTs using the Public Key.

Background & Objectives

Current State

  • Uses HS256 algorithm (src/core/jwt_logic.py)
  • Secret key loaded from environment variables
  • JWT verification is only possible with knowledge of the Secret

Objectives

  • Strengthen security using AWS managed key services
  • Expose Public Key via JWKS to enable independent JWT verification across microservices
  • Compliance with OAuth 2.0 / OIDC standards
  • Support zero-downtime key rotation

Expected Benefits

  • Private key is not exposed in code or environment variables
  • Automatic collection of key usage audit logs via AWS CloudTrail
  • Ability to utilize Secrets Manager automatic rotation features
  • Eliminates the need to share secrets for inter-service JWT verification

Metadata

Metadata

Assignees

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions