[BUG] How safe is JWT in opensearch

[nnWhisperer]

Describe the bug

Hello,
this isn't exactly a bug but not a feature request at all either.
I'm planning to use JWT in production to validate users, rather than username and password and a question came to my mind:
How safe is JWT? Can it be used like a device token? I guess its private key is shared across different users and hence, if so, then, an adversary could leverage this, obtain several jwt signed by the same key and then use cryptographic methods to obtain the key?

Related component

Other

To Reproduce

Just activate JWT authentication, obtain several keys for several users and then use a brute-force approach to obtain the private key

Expected behavior

It should be safer

Additional Details

No response

[cwperks]

@nnWhisperer with JWT auth in OpenSearch, OpenSearch does not issue the tokens. It assumes the tokens have been issued from another IdP. OpenSearch merely authenticates the tokens and there's multiple ways you can supply the public keys for authentication. You can either specify them directly in the authc: section of security's config.yml or you can provide a jwks_uri to get them from an IdP's well-known endpoint.