letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Add a little bit of explanation to the documentation about keys

Browse Source
This commit is contained in:
Olivier 'reivilibre
2025-11-25 15:43:01 +00:00
parent 1d2f7fecf8
commit 2cc75f1da3
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/reference/configuration.md
View File

@@ -196,7 +196,7 @@ secrets:
# Signing keys
keys:
# It needs at least an RSA key to work properly
# At least one RSA key must be configured
- key_file: keys/rsa_key
- kid: "iv1aShae"
key: |
@@ -238,9 +238,21 @@ The following key formats are supported:
- PKCS#8 PEM or DER-encoded RSA or ECDSA private key, encrypted or not
- SEC1 PEM or DER-encoded ECDSA private key
The signing keys are used for signing ID Tokens (as returned in the [Token Endpoint]
at `/oauth2/token`) and for signing the response of the [UserInfo Endpoint] at
`/oauth2/userinfo` if the client requests a signed response.
At a minimum, an RSA key must be configured in order to be compliant with the
[OpenID Connect Core specification][oidc-core-rs256] which specifies the RS256 algorithm
as mandatory to implement by servers for interoperability reasons.
The keys can be given as a directory path via `secrets.keys_dir`
or, alternatively, as an inline configuration list via `secrets.keys`.
[Token Endpoint]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
[UserInfo Endpoint]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
[oidc-core-rs256]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI
#### `secrets.keys_dir`
Path to the directory containing MAS signing key files.