Skip to Main Content
Status Unreviewed
Categories Platform
Created by Guest
Created on Apr 23, 2024

Support key rotation for Google OIDC

Currently the SSO settings require a public key to be keyed in when the JWT Signature Type is RS256. For google OIDC the public key corresponds to the KID that Google uses to sign the token.


Google rotates their KID's every 1-2 weeks, so the method of manually setting the public key doesn't work as well for Google's method of signing tokens. Instead they publish an endpoint that can be used to retrieve the public keys for their KIDs and the server validating the token is intended to dynamically pull those public keys based on the KID used to sign the token. https://www.googleapis.com/oauth2/v1/certs


It would be nice if instead of a public key, the user could input nothing, or input that cert endpoint above and Absorb would pull the public keys and validate in real-time. This would ensure that if google rotates the KIDs it doesn't break SSO until a user manually updates the public key in Absorb.

  • Attach files