Documentation rendue
Cette page rend le Markdown et Mermaid du module directement depuis la source publique de documentation.
Overview#
The Federated JWT Security module enforces RS256 asymmetric cryptographic signing for all platform authentication tokens, with public key distribution through a standards-compliant JWKS (JSON Web Key Set) endpoint. This architecture enables federated token verification where any participating system can validate tokens without sharing secret keys, meeting the requirements of multi-national deployments where independent organizations must verify each other's authentication assertions without bilateral key exchange.
The module eliminates symmetric HS256 signing as a non-compliant fallback, ensuring that all tokens are signed with private keys that never leave the issuing authority while verification is performed using publicly available key material.
Key Features#
- RS256-Only Token Signing -- All JWT tokens are signed exclusively with RSA-SHA256 using 2048-bit or larger keys, with HS256 and other symmetric algorithms permanently disabled to prevent downgrade attacks
- JWKS Public Endpoint -- A standards-compliant
endpoint publishes current and rotated public keys, enabling any federated participant to verify tokens without prior key exchange/.well-known/jwks.json - Key Rotation -- Automated key rotation with configurable rotation periods, grace periods for in-flight tokens signed with previous keys, and key identifier (kid) tracking for seamless transitions
- Fail-Closed Token Revocation -- Token revocation checks default to denying access when the revocation service is unavailable, preventing authentication bypass during system disruptions
- Multi-Tenant Key Isolation -- Each tenant operates with independent signing keys, preventing token forgery across tenant boundaries even if a single tenant's infrastructure is compromised
- EU Regulations Compliance -- Token architecture meets EU Regulations requirements for federated authentication across multi-national deployments, supporting independent verification by all participating nations
- Token Introspection -- Standards-compliant token introspection endpoint for systems that require real-time token validity checking beyond signature verification
- Audit Trail -- All token issuance, verification, revocation, and key rotation events are logged with full context for security audit and incident investigation
Use Cases#
- Multi-National Operations -- Allied nations deploy independent Argus instances that accept each other's authentication tokens through JWKS-based verification, enabling single sign-on across national boundaries without shared secrets
- Microservice Architecture -- Internal platform services verify authentication tokens using the JWKS endpoint without requiring access to signing keys, enabling zero-trust service-to-service authentication
- Third-Party Integration -- External systems validate Argus-issued tokens to authorize API access, using the public JWKS endpoint for key material without requiring bilateral credential sharing
- Compliance Auditing -- Security auditors verify that all authentication tokens use approved cryptographic algorithms and key strengths by inspecting the JWKS endpoint and token headers
Integration#
The module is embedded in the authentication service and consumed by all platform components for token verification. It connects to the secrets management system for private key storage, the audit logging platform for authentication event recording, and the compliance dashboard for cryptographic compliance monitoring. The JWKS endpoint is publicly accessible for federated verification by external systems.
Availability#
- Enterprise Plan: Full federated JWT security included
- Professional Plan: RS256 token signing included; federated JWKS and multi-tenant key isolation available as add-on
Last Reviewed: 2026-03-02