From 9af93ff090c3f288dc2fd5d059b14cc30bd8d75d Mon Sep 17 00:00:00 2001 From: Brad Jones Date: Wed, 5 Aug 2020 15:47:31 -0600 Subject: [PATCH] Update README stating specific requirements for SIGNING_KEY (#1217) Makes clear it must be an EC key and also that it must be present in the authentication service, if run separately. --- docs/reference/readme.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/reference/readme.md b/docs/reference/readme.md index 02b3afc49..bef412afb 100644 --- a/docs/reference/readme.md +++ b/docs/reference/readme.md @@ -1197,9 +1197,11 @@ If unspecified: - Type: [base64 encoded] `string` - Optional -Signing Key is the key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups. +Signing Key is the [Elliptic Curve] private key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups. -If set, the signing key's public key will can retrieved by hitting Pomerium's `/.well-known/pomerium/jwks.json` endpoint which lives on the authenticate service. For example: +If set, the signing key's public key will can retrieved by hitting Pomerium's `/.well-known/pomerium/jwks.json` endpoint which lives on the authenticate service. (If running the authentication service separately, this option must also be set there.) + +For example: ```bash $ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq @@ -1233,3 +1235,4 @@ If no certificate is specified, one will be generated and the base64'd public ke [signed headers]: ./signed-headers.md [toml]: https://en.wikipedia.org/wiki/TOML [yaml]: https://en.wikipedia.org/wiki/YAML +[Elliptic Curve]: https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations#Generating_EC_Keys_and_Parameters