5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Core/Model/Client.cs
+++ b/IdentityShroud.Core/Model/Client.cs
@ -1,11 +1,29 @@
-using IdentityShroud.Core.Security;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+using Microsoft.EntityFrameworkCore;

 namespace IdentityShroud.Core.Model;

+[Table("client")]
+[Index(nameof(ClientId), IsUnique = true)]
 public class Client
 {
-    public Guid Id { get; set; }
-    public string Name { get; set; }
+    [Key]
+    public int Id { get; set; }
+    public Guid RealmId { get; set; }
+    [MaxLength(40)]
+    public required string ClientId { get; set; }
+    [MaxLength(80)]
+    public string? Name { get; set; }
+    [MaxLength(2048)]
+    public string? Description { get; set; }
    
-    public string? SignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
+    [MaxLength(20)]
+    public string? SignatureAlgorithm { get; set; }
+    
+    public bool AllowClientCredentialsFlow { get; set; } = false;
+    
+    public required DateTime CreatedAt { get; set; }
+
+    public List<ClientSecret> Secrets { get; set; } = [];
 }