My favorite are the systems where you can only issue one token, so that you can'... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

jakub_g 65 days ago | parent | context | favorite | on: You don't want long-lived keys

My favorite are the systems where you can only issue one token, so that you can't do a zero downtime rotation by creating new one, making it active in your system, and only then removing the old one.

In some cases this makes rotation a big event to be avoided because costs are higher than gains.

acdha 65 days ago [–]

I am still surprised that Keycloak makes this so hard. They finally added support for n=2 but it’s still walled off behind a “this is experimental, use at your own risk” warning, and it’s something that literally every OIDC client needs to do if you have any kind of compliance requirements.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact