Overview
Transition from the current HS256 symmetric key-based JWT authentication to RS256 asymmetric key-based authentication, and establish an enterprise-grade key management system utilizing AWS KMS and Secrets Manager. A JWKS endpoint will be provided to allow external services to verify JWTs using the Public Key.
Background & Objectives
Current State
- Uses HS256 algorithm (src/core/jwt_logic.py)
- Secret key loaded from environment variables
- JWT verification is only possible with knowledge of the Secret
Objectives
- Strengthen security using AWS managed key services
- Expose Public Key via JWKS to enable independent JWT verification across microservices
- Compliance with OAuth 2.0 / OIDC standards
- Support zero-downtime key rotation
Expected Benefits
- Private key is not exposed in code or environment variables
- Automatic collection of key usage audit logs via AWS CloudTrail
- Ability to utilize Secrets Manager automatic rotation features
- Eliminates the need to share secrets for inter-service JWT verification
Overview
Transition from the current HS256 symmetric key-based JWT authentication to RS256 asymmetric key-based authentication, and establish an enterprise-grade key management system utilizing AWS KMS and Secrets Manager. A JWKS endpoint will be provided to allow external services to verify JWTs using the Public Key.
Background & Objectives
Current State
Objectives
Expected Benefits