@@ -550,6 +550,8 @@ This document provides a detailed breakdown of tasks, components, features, test
550550* ** Test Case (Integration):**
551551 - [ ] Revoked tokens are invalidated and cannot be used.
552552 - [ ] Introspection endpoint returns correct token status and claims.
553+ - [ ] Verify token introspection endpoint (` /introspect ` ) path correctly uses customized ` CoreIdentRouteOptions.TokenPath ` .
554+ - [ ] Verify token revocation endpoint (` /revoke ` ) path correctly uses customized ` CoreIdentRouteOptions.TokenPath ` .
553555- [ ] ** Update README.md** with details on revocation and introspection endpoints.
554556- [ ] ** Update Developer Training Guide** with details on revocation and introspection endpoints.
555557
@@ -560,10 +562,19 @@ This document provides a detailed breakdown of tasks, components, features, test
560562* ** Component:** Token Lifetime Configuration
561563 - [ ] Support per-client and per-scope token lifetimes.
562564* ** Component:** Key Management
565+ - [ ] Implement support for asymmetric signing keys (RSA, potentially ECDSA).
566+ * * Guidance:* Add configuration options to specify key material (e.g., PEM files, key vault reference).
567+ * * Guidance:* Update ` ITokenService ` /` JwtTokenService ` to load and use asymmetric keys for signing.
568+ * * Guidance:* Update JWKS endpoint (` /.well-known/jwks.json ` ) to publish public keys correctly (including ` kty ` , ` n ` , ` e ` for RSA).
569+ * * Guidance:* Update token validation logic (where applicable internally or in examples) to handle asymmetric key validation.
563570 - [ ] Add support for key rotation and multiple signing keys (JWKS).
564571* ** Test Case (Integration):**
565572 - [ ] Tokens expire according to per-client/scope configuration.
566573 - [ ] Key rotation works without breaking existing tokens.
574+ - [ ] Verify tokens can be signed and validated using configured RSA keys.
575+ - [ ] Verify JWKS endpoint correctly publishes RSA public key details.
576+ - [ ] Verify user profile endpoint (` /me ` ) works correctly when ` UserProfilePath ` is configured as root-relative (e.g., default ` /me ` ).
577+ - [ ] Verify user profile endpoint (` /me ` ) works correctly when ` UserProfilePath ` is configured as base-path relative (e.g., ` me ` results in ` /auth/me ` ).
567578- [ ] ** Update README.md** with details on security enhancements.
568579- [ ] ** Update Developer Training Guide** with details on security enhancements.
569580
@@ -737,7 +748,7 @@ A summary table of major protocols and features, their status in CoreIdent, and
737748| Multi-Factor Authentication (MFA) & Passwordless | 2nd-factor (TOTP/WebAuthn) and passwordless options | * Planned* |
738749| Dynamic Client Registration (RFC 7591) | Programmatic registration of OAuth clients | * Planned* |
739750| Client-Initiated Backchannel Authentication (CIBA, RFC 9126) | Asynchronous user-approval flow for critical AI actions | * Planned* |
740- | Pushed Authorization Requests (PAR, RFC 9121) | Secure “ push” of auth requests to avoid leaking request parameters | * Planned* |
751+ | Pushed Authorization Requests (PAR, RFC 9121) | Secure " push" of auth requests to avoid leaking request parameters | * Planned* |
741752| Device Authorization Flow (RFC 8628) | Grant for devices with limited input (e.g. IoT, consoles) | * Planned* |
742753| Token Introspection (RFC 7662) | Endpoint for resource servers to validate token metadata | * Planned* |
743754| Token Revocation (RFC 7009) | Endpoint to revoke tokens on logout or compromise | * Planned* |
0 commit comments