From 945c70b238ec3cc31613b3c17d5ad57c5a2eedee Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 18 Jul 2024 16:43:17 -0500
Subject: Retrieve newest JWK, creating a new JWK where necessary.

To help with key rotation, we fetch the latest key, creating a new JWK
in any of the following 2 conditions:
* There is no JWK in the first place
* The "newest" key is older than a specified number of days
---
 gn_auth/settings.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'gn_auth/settings.py')

diff --git a/gn_auth/settings.py b/gn_auth/settings.py
index 7dc0105..ab6b079 100644
--- a/gn_auth/settings.py
+++ b/gn_auth/settings.py
@@ -32,6 +32,8 @@ CORS_HEADERS = [
 # OpenSSL keys
 CLIENTS_SSL_PUBLIC_KEYS_DIR = "" # clients' public keys' directory
 SSL_PRIVATE_KEY = "" # authorisation server primary key
+JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use.
+JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it.
 
 ## Email
 SMTP_HOST = "smtp.genenetwork.org" # does not actually exist right now
-- 
cgit v1.2.3