From 774430ea74915ecab90218ffad0a5c3eb07354fa Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:19:09 +1000 Subject: [PATCH 1/7] Update signing key document --- .../docs/infrastructure/signing-keys/index.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index 660a86e0f4..00079551ec 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-11-01 -modDate: 2023-11-01 +modDate: 2026-04-15 title: Signing Keys description: Signing keys used for OpenID Connect authentication navOrder: 40 @@ -10,16 +10,16 @@ hideInThisSection: true Octopus uses a Signing Key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus. -The signing keys by default have a 90-day expiry and will be rotated when they expire. +Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. -:::div{.warning} -Since OpenID Connect authentication is still an EAP feature, there is no User Interface to manage or view the Signing Keys. +### Internally hosted +When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. -The following API endpoints can be used to manage the Signing Keys: +## Externally hosted +When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. -List all keys: `GET` `/api/signingkeys/v1` +### Rotating externally hosted keys +Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. -Rotate the active key: `POST` `/api/signingkeys/rotate/v1` - -Revoke a signing key: `POST` `/api/signingkeys/{id}/revoke/v1` -::: \ No newline at end of file +:::div{.info} +The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. From 9ffc9af73d55cd8b1f9e5a936eca1d1518c144ff Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:06:49 +1000 Subject: [PATCH 2/7] Fixed headings --- src/pages/docs/infrastructure/signing-keys/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index 00079551ec..b83e3c0030 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -13,12 +13,15 @@ Octopus uses a Signing Key to sign the generated authorization request tokens us Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. ### Internally hosted + When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. ## Externally hosted + When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. -### Rotating externally hosted keys +## Rotating externally hosted keys + Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} From 851c89350d3ddf6cd5df49e00d7f95836c7007f5 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:19:14 +1000 Subject: [PATCH 3/7] Fixed headings more --- src/pages/docs/infrastructure/signing-keys/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index b83e3c0030..fec9cb7061 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -12,7 +12,7 @@ Octopus uses a Signing Key to sign the generated authorization request tokens us Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. -### Internally hosted +## Internally hosted When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. @@ -20,7 +20,7 @@ When using internally hosted public keys, your Octopus Deploy instance will host When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. -## Rotating externally hosted keys +### Rotating externally hosted keys Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. From 5b72861574e796085bdc560de1314d63673ece77 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:32:56 +1000 Subject: [PATCH 4/7] Grammer fix --- src/pages/docs/infrastructure/signing-keys/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index fec9cb7061..635b780a93 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -8,9 +8,9 @@ navOrder: 40 hideInThisSection: true --- -Octopus uses a Signing Key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus. +Octopus uses a signing key to sign the generated authorization request tokens used in the authentication flow for OpenID Connect. The public signing key is used by the resource server to validate the token supplied by Octopus. -Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a 3rd party. +Depending on your security requirements, your public keys can either be hosted by your Octopus Deploy instance or delegated to a third party. ## Internally hosted @@ -22,7 +22,7 @@ When externally hosting public keys, they will be available for download as a zi ### Rotating externally hosted keys -Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. Once it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. +Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. From 78ac621d4403f7a1339d3544980dceb12e9af006 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:35:09 +1000 Subject: [PATCH 5/7] fix inconsistent voide --- src/pages/docs/infrastructure/signing-keys/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index 635b780a93..e2b2bbdd08 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -22,7 +22,8 @@ When externally hosting public keys, they will be available for download as a zi ### Rotating externally hosted keys -Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. The user will then need to upload the contents of this file to their chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. +Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. +::: From adfe8dada9b4e5e30c226754c1a5c3601819e680 Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:44:37 +1000 Subject: [PATCH 6/7] Fix formatting and voice --- src/pages/docs/infrastructure/signing-keys/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index e2b2bbdd08..bcfb5104d2 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -14,15 +14,15 @@ Depending on your security requirements, your public keys can either be hosted b ## Internally hosted -When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. It is important to ensure your Octopus Deploy instance can be accessed at this address. +When using internally hosted public keys, your Octopus Deploy instance will host and manage them. Octopus Deploy will automatically rotate and revoke the keys according to your preferences. Any tokens Octopus Deploy creates will include the current public address of your Octopus Deploy instance as the issuer. Ensure your Octopus Deploy instance is accessible at this address. ## Externally hosted -When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the `OIDC Issuer URL`. When Octopus Deploy creates a token, the issuer will point to the `OIDC Issuer URL`. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. +When externally hosting public keys, they will be available for download as a zip file. The contents of this zip file can then be hosted on any hosting provider that publicly serves HTTPS. The location where the files are hosted must be provided as the **OIDC Issuer URL**. When Octopus Deploy creates a token, the issuer will point to the **OIDC Issuer URL**. While the location specified by the issuer URL must be publicly available, the Octopus Deploy instance can be isolated from public access. ### Rotating externally hosted keys -Externally hosted public keys must be manually rotated. Upon clicking `Rotate`, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided `OIDC Issuer URL` for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. +Externally hosted public keys must be manually rotated. Upon clicking **Rotate**, a new set of keys will be downloaded as a zip file. You will then need to upload the contents of this file to your chosen hosting provider. Octopus Deploy will poll the provided **OIDC Issuer URL** for the new keys. After it successfully validates that the new keys are available at the issuer URL, it will start using the new signing key. :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. From bf990aa0734bd0c279c0c0db97f461e2a3cce89a Mon Sep 17 00:00:00 2001 From: Steven Cleve <107827476+stevencl840@users.noreply.github.com> Date: Tue, 19 May 2026 11:30:26 +1000 Subject: [PATCH 7/7] Update index.md --- src/pages/docs/infrastructure/signing-keys/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/pages/docs/infrastructure/signing-keys/index.md b/src/pages/docs/infrastructure/signing-keys/index.md index bcfb5104d2..97a3ac8ed6 100644 --- a/src/pages/docs/infrastructure/signing-keys/index.md +++ b/src/pages/docs/infrastructure/signing-keys/index.md @@ -27,3 +27,5 @@ Externally hosted public keys must be manually rotated. Upon clicking **Rotate** :::div{.info} The new key set will include your previous active key. This ensures that all OIDC services continue to function while the key rotation is underway. Octopus Deploy will start signing tokens with the new key only after validating that the new key is available at the issuer URL. ::: + +Support for manually managing signing keys has been added in **2026.2** and later.