govuk-one-login · sandymay-dd · Jan 20, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
@@ -137,4 +137,16 @@ This schema is generated in the backend-api-push-to-main.yaml worfklow. To gener
 
 ```bash
 npm run generate-proxy-open-api
-```
+```
+
+#### JSON Web Keys
+
+The `./.well-known/jwks.json` endpoint hosts the JSON Web Keys. It contains a JSON Web Key object containing information about the ID Check encryption key. This is used by STS for encrypting the service token sent to the `GET /async/activeSession` endpoint in the Authorization header. The encryption algorithm is `RSA-OAEP-256`, see [STS technical design](https://govukverify.atlassian.net/wiki/spaces/DCMAW/pages/3844964353/Strategic+App+App+calls+a+protected+service) for the public key requirements.
+
+The encryption key is created in AWS KMS. The infrastructure code lives in the `./template.yaml`.
+
+The JSON Web Keys object is stored in AWS S3. The `/.well-known/jwks.json` endpoint retrieves the object from S3 via an AWS service integration. Note, this integration can occasionally return a 5XX error due to the distributed nature of AWS and consumers should be advised to retry in this scenario.
+
+The JSON Web Keys object is created when the stack is deployed for the first time. A Cloudformation custom resource sends a notification to the jwksHandler and this invokes the lambda. The lambda builds the JSON Web Keys object and uploads it to S3.
+
+Note: for redeployments of the application, the jwksWebKeys lambda is only invoked when the resource in the template.yaml is updated. By default the lambda is not updated when the lambda handler code is updated. To facilitate automatic updates of the lambda in this scenario, a parameter has been added to the Cloudformation template containing the lambda version arn. This version arn updates when the lambda handler code is changed, causing an invocation of the lambda.
@@ -458,7 +458,7 @@ paths:
                           "n": "kOBby1nEUcKc-94zIa2qCyqDSE1-2bLWkVjeF3DWY_0v2j9wlLSaR6asONen_HP40wftLOSPYRcKYv6Cjz3LOY7aQYznX14EXSgJxrDwQ7AleX2VS_HB34LMZEa3xmSSH7pLtw_vmJgCNss0zDQLCz1sQwZxlqphF18FdTTUrXbJ9Qk3xIrEzvL2naO2r6WoLBQ9tSr2Sz9TTcJQptfh6hOAHm66oPA6F9uCmbTDEQeI-wLiMMArtcKrGiPAFluo8f0qNkzLRMFIqyadnZ9OZ5u0-H_urOkmLJ2nbAnyTcO-9QeDlomdEMz3yEaJeUoq-jnPpVEfIbd8-07fl7M27w",
                           "e": "AQAB",
                           "use": "enc",
-                          "alg": "RS256",
+                          "alg": "RSA-OAEP-256",
                           "kid": "da48d440-8e51-4383-9a3a-b91ce5adcf2a"
                         }
                       ]

@@ -137,6 +137,6 @@ const ENCRYPTION_KEY_TO_JOSE_MAP: EncryptionKeyToJose = {
   ENCRYPT_DECRYPT: {
     USE: "enc",
     KEY_SPEC: "RSA_2048",
-    ALGORITHM: "RS256",
+    ALGORITHM: "RSA-OAEP-256",
   },
 };
@@ -137,7 +137,7 @@ describe("JWKS Builder", () => {
             n: "kOBby1nEUcKc-94zIa2qCyqDSE1-2bLWkVjeF3DWY_0v2j9wlLSaR6asONen_HP40wftLOSPYRcKYv6Cjz3LOY7aQYznX14EXSgJxrDwQ7AleX2VS_HB34LMZEa3xmSSH7pLtw_vmJgCNss0zDQLCz1sQwZxlqphF18FdTTUrXbJ9Qk3xIrEzvL2naO2r6WoLBQ9tSr2Sz9TTcJQptfh6hOAHm66oPA6F9uCmbTDEQeI-wLiMMArtcKrGiPAFluo8f0qNkzLRMFIqyadnZ9OZ5u0-H_urOkmLJ2nbAnyTcO-9QeDlomdEMz3yEaJeUoq-jnPpVEfIbd8-07fl7M27w",
             e: "AQAB",
             use: "enc",
-            alg: "RS256",
+            alg: "RSA-OAEP-256",
             kid: "da48d440-8e51-4383-9a3a-b91ce5adcf2a",
           },
           format: "jwk",
@@ -154,7 +154,7 @@ describe("JWKS Builder", () => {
         expect(buildJwksResponse.value).toStrictEqual({
           keys: [
             {
-              alg: "RS256",
+              alg: "RSA-OAEP-256",
               e: "AQAB",
               kid: keyId,
               kty: "RSA",

@@ -12,7 +12,7 @@ const mockEncryptionJwk: EncryptionJwk = {
   n: "kOBby1nEUcKc-94zIa2qCyqDSE1-2bLWkVjeF3DWY_0v2j9wlLSaR6asONen_HP40wftLOSPYRcKYv6Cjz3LOY7aQYznX14EXSgJxrDwQ7AleX2VS_HB34LMZEa3xmSSH7pLtw_vmJgCNss0zDQLCz1sQwZxlqphF18FdTTUrXbJ9Qk3xIrEzvL2naO2r6WoLBQ9tSr2Sz9TTcJQptfh6hOAHm66oPA6F9uCmbTDEQeI-wLiMMArtcKrGiPAFluo8f0qNkzLRMFIqyadnZ9OZ5u0-H_urOkmLJ2nbAnyTcO-9QeDlomdEMz3yEaJeUoq-jnPpVEfIbd8-07fl7M27w",
   e: "AQAB",
   use: "enc",
-  alg: "RS256",
+  alg: "RSA-OAEP-256",
   kid: "da48d440-8e51-4383-9a3a-b91ce5adcf2a",
 };
 

@@ -10,7 +10,7 @@ describe("JWKS Uploader", () => {
   const jwks: Jwks = {
     keys: [
       {
-        alg: "RS256",
+        alg: "RSA-OAEP-256",
         e: "AQAB",
         kid: "0df22121-40cc-41d7-b25c-b4da1a06ac24",
         kty: "RSA",

@@ -7,5 +7,5 @@ export interface EncryptionJwk extends JsonWebKey {
   use: EncryptionJwkUse;
 }
 
-export type EncryptionJwkAlgorithm = "RS256";
+export type EncryptionJwkAlgorithm = "RSA-OAEP-256";
 export type EncryptionJwkUse = "enc";
@@ -1497,6 +1497,8 @@ Resources:
     Properties:
       ServiceToken: !GetAtt JsonWebKeysFunction.Arn
       ServiceTimeout: 30
+      # The below value is not used by the lambda - it is a workaround to make the custom resource trigger the lambda each time the lambda code is updated
+      LambdaVersion: !Ref JsonWebKeysFunction.Version
 
   JsonWebKeysBucketApiRole:
     Type: AWS::IAM::Role

@@ -22,7 +22,7 @@ describe("Token Encrypter", () => {
                 n: "0wLh4PMAjSt17zLNFw9nnBdV901AWp0uuHQzGaz1-Wz1lAs-jN7nI90sQAyiv8MDlYWLrfUZKcQAAA0yjISp9UyTr8qgqsyAKiFBIcnoH7l4qV-U-VXe3rcMjr5BzrKdVK664YiF9coGaal-QDDd1VY0fvvom3DhGnh8MoezBQPKl6pynIaSiDHZUdSe8B9LdsjsKHt4SujGRR_QlERYISC0s4pCQu2gA9qsP-pFDfcklbLtskFtWa_utiPe48Y5xgrhj5r-hMz9Zi4R55mX6nymC9gypk7q6iiXGEQcMzxPMy0kgF4437PqA-0GmjJE24pGmVhnr33UL2i0tsfviw",
                 e: "AQAB",
                 use: "enc",
-                alg: "RS256",
+                alg: "RSA-OAEP-256",
                 kid: "456d2da6-9ca8-4e1d-b8c8-081109d73015",
               },
             ],