diff options
| author | Frederick Muriuki Muriithi | 2024-08-01 12:33:12 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2024-08-01 15:02:17 -0500 |
| commit | c9063f5bde9a6163958a635b301d20a6323c874f (patch) | |
| tree | a88f636f04e3f7398e0d5bdff43bf99869242e51 | |
| parent | 20933e55de7927063dd159d116b468b4724a19a8 (diff) | |
| download | genenetwork2-c9063f5bde9a6163958a635b301d20a6323c874f.tar.gz | |
Use auto-created and auto-rotated JSON Web Keys
Use auto-created JWKs for better security.
| -rw-r--r-- | gn2/default_settings.py | 6 | ||||
| -rw-r--r-- | gn2/wqflask/oauth2/toplevel.py | 10 |
2 files changed, 13 insertions, 3 deletions
diff --git a/gn2/default_settings.py b/gn2/default_settings.py index e781f196..ab15dbe9 100644 --- a/gn2/default_settings.py +++ b/gn2/default_settings.py @@ -120,3 +120,9 @@ OAUTH2_CLIENT_SECRET="yadabadaboo" SESSION_TYPE = "redis" SESSION_PERMANENT = True SESSION_USE_SIGNER = True + + +# BEGIN: JSON WEB KEYS ##### +JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use. +JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it. +# END: JSON WEB KEYS ##### diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py index 210b0756..7ee0773d 100644 --- a/gn2/wqflask/oauth2/toplevel.py +++ b/gn2/wqflask/oauth2/toplevel.py @@ -13,6 +13,7 @@ from flask import (flash, render_template, current_app as app) +from . import jwks from . import session from .checks import require_oauth2 from .request_utils import user_details, process_error @@ -34,7 +35,9 @@ def authorisation_code(): code = request.args.get("code", "") if bool(code): base_url = urlparse(request.base_url, scheme=request.scheme) - jwtkey = app.config["SSL_PRIVATE_KEY"] + jwtkey = jwks.newest_jwk_with_rotation( + jwks.jwks_directory(app, "GN2_SECRETS"), + int(app.config["JWKS_ROTATION_AGE_DAYS"])) issued = datetime.datetime.now() request_data = { "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", @@ -81,7 +84,7 @@ def authorisation_code(): return redirect("/") return no_token_post( - "auth/token", json=request_data).either( + "auth/token", data=request_data).either( lambda err: __error__(process_error(err)), __success__) flash("AuthorisationError: No code was provided.", "alert-danger") return redirect("/") @@ -92,5 +95,6 @@ def public_jwks(): """Provide endpoint that returns the public keys.""" return jsonify({ "documentation": "Returns a static key for the time being. This will change.", - "jwks": KeySet([app.config["SSL_PRIVATE_KEY"]]).as_dict().get("keys") + "jwks": KeySet(jwks.list_jwks( + jwks.jwks_directory(app, "GN2_SECRETS"))).as_dict().get("keys") }) |