Signing Service Integration

Description

The current AAS Solution uses within the JWKSource definition and static set of keys which are generated at bootstrap time. This could in distributed scenarios a problem, because when one instance is rebooting, the tokens of another instance are not more valid during introspection time. Next to that, the singatures for the tokens are somewhere create deep inside the auth server, which makes it hard to control the key pair properly.

Change Description

The handling of the keypair should be hand over to an seperate microservice. This should be an java module which must implement an interface to support various signing and key management solutions. For example:

public interface IKeyManagement {

JWKSource getSource(); bool verify(string tokenHash); string sign(string payloadHash); }

An potential implementation can then create a keypair locally, or by using hashicorp transit engine or by using HSMs etc. In the case of a vault solution the keypair and the signatures would be automatically the same.