From ae1305c80120cbd2c65223dd2ba3abb4abc65906 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:19:09 +1000 Subject: [PATCH 1/6] Update signing key document --- .../docs/infrastructure/signing-keys/index.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index 660a86e0f4..00079551ec 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-11-01 -modDate: 2023-11-01 +modDate: 2026-04-15 title: Signing Keys description: Signing keys used for OpenID Connect authentication navOrder: 40 @@ -10,16 +10,16 @@ hideInThisSection: true Octopus uses a Signing Key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus. -The signing keys by default have a 90-day expiry and will be rotated when they expire. +Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. -:::div{.warning} -Since OpenID Connect authentication is still an EAP feature, there is no User Interface to manage or view the Signing Keys. +### Internally hosted +When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. -The following API endpoints can be used to manage the Signing Keys: +## Externally hosted +When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. -List all keys: `GET` `/api/signingkeys/v1` +### Rotating externally hosted keys +Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. -Rotate the active key: `POST` `/api/signingkeys/rotate/v1` - -Revoke a signing key: `POST` `/api/signingkeys/{id}/revoke/v1` -::: \ No newline at end of file +:::div{.info} +The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. From 1e782401ec61f260060c4d8385432ba081ba8859 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:06:49 +1000 Subject: [PATCH 2/6] Fixed headings --- src/pages/docs/infrastructure/signing-keys/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index 00079551ec..b83e3c0030 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -13,12 +13,15 @@ Octopus uses a Signing Key to sign the generated authorization request tokens us Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. ### Internally hosted + When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. ## Externally hosted + When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. -### Rotating externally hosted keys +## Rotating externally hosted keys + Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} From 1fbf2231fda37c6316fc303c16ec0940e5d3af84 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:19:14 +1000 Subject: [PATCH 3/6] Fixed headings more --- src/pages/docs/infrastructure/signing-keys/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index b83e3c0030..fec9cb7061 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -12,7 +12,7 @@ Octopus uses a Signing Key to sign the generated authorization request tokens us Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. -### Internally hosted +## Internally hosted When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. @@ -20,7 +20,7 @@ When using internally hosted public keys, your Octopus Deploy instance will host When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. -## Rotating externally hosted keys +### Rotating externally hosted keys Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. From a454d8fbebc7de4239713ca2af04c9ecf00f971d Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:32:56 +1000 Subject: [PATCH 4/6] Grammer fix --- src/pages/docs/infrastructure/signing-keys/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index fec9cb7061..635b780a93 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -8,9 +8,9 @@ navOrder: 40 hideInThisSection: true --- -Octopus uses a Signing Key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus. +Octopus uses a signing key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus. -Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. +Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a third party. ## Internally hosted @@ -22,7 +22,7 @@ When externally hosting public keys, they will be available for download as a zi ### Rotating externally hosted keys -Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. +Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. From 8a7714d54a6869e893919d1958c8475b7b25567c Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:35:09 +1000 Subject: [PATCH 5/6] fix inconsistent voide --- src/pages/docs/infrastructure/signing-keys/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index 635b780a93..e2b2bbdd08 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -22,7 +22,8 @@ When externally hosting public keys, they will be available for download as a zi ### Rotating externally hosted keys -Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. +Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. +::: From 49e5558970860e6efbd20cac789801819badd174 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:44:37 +1000 Subject: [PATCH 6/6] Fix formatting and voice --- src/pages/docs/infrastructure/signing-keys/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index e2b2bbdd08..bcfb5104d2 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -14,15 +14,15 @@ Depending on your security requirements, your public keys can either be hosted b ## Internally hosted -When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. +When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. Ensure your Octopus Deploy instance is accessible at this address. ## Externally hosted -When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. +When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the **OIDC Issuer URL**. When Octopus Deploy creates a token, the issuer will point to the **OIDC Issuer URL**. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. ### Rotating externally hosted keys -Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. +Externally hosted public keys must be manually rotated. Upon clicking **Rotate**, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided **OIDC Issuer URL** for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL.