Security issue with External JWT in multi-tenant scenario

[huysentruitw]

Some facts

• The "Key Master" in FusionAuth is global and not tenant aware
• An "External JWT" identity provider accepts any token signed by any key known in the "Key Master" (identified by kid)

The problem

When configuring two (or more) "External JWT" identity providers for two (or more) tenants, there is no way to restrict which external JWTs are accepted by which identity provider. As a result, an external JWT from tenant A is also accepted as valid external JWT for tenant B, which results in a security issue.

Proposed solutions

1. The "Key Master" is tenant aware, so that we have a key master per tenant.
2. Or: keys in the "Key Master" are assignable to one or more tenants.
3. Or: the "Default verification key" option in the "External JWT" identity provider configuration is changed to "Verification key" where only one key (or two, to support key rotation) is configurable and also required.

Glad to hear suggestions or feedback.

PS. I've asked this question on the forum first but got forwarded to GitHub.

[robotdan]

Internal:
As we review various APIs to optionally make things tenant scoped such as Email Templates, Message Templates - this would be one more item that could optionally be tenant scoped to support a full "tenant manager" idea and complete scope all APIs to one or more tenants.