Idea ID: 2875132

NAM IDP should provide two OAuth signing certificates to support a certificate rollover without invalidating active refresh tokens

Status: Under Consideration

Support for multiple IDP signing certificates is in our immediate roadmap. We could not accommodate it for 5.1, but should be able to work on this after 5.1 release.

See status update history

Some OAuth clients are using refresh tokens that are valid for a long period (e.g.up to 90 days).

Currently the change of the signing certificate requires users of these applications to re-authenticate on the IDP the next time thy hit the application - even if their refresh token is only a few days old. This causes load on the systems and user confusion.

It is because the validation of refresh (and access) tokens fails after changing the signing certificate. This current behavior was confirmed by case 02503042.

To support a certificate rollover without invalidating active OAuth refresh tokens, NAM IDP should support two OAuth signing certificates in parallel for a period of time like:

  • after adding a new signing certificate all new tokens are generated using this new signing certificate,
  • but existing refresh tokens are also checked against the old/previous signing certificate in addition to the new/current signing certificate

best regards,
Thomas