Separate the auth server's public key from app's private key

* Use the app's private key to sign the initial assertions used for
  retrieving an authorisation token from the auth server.
* Use auth server's public key to validate the authorisation tokens
  got from the auth server.

1 files changed, 5 insertions, 2 deletions

diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index bc32e80e..a1e9196d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -46,7 +46,7 @@ def authorisation_code():
     code = request.args.get("code", "")
     if bool(code):
         base_url = urlparse(request.base_url, scheme=request.scheme)
-        jwtkey = app.config["JWT_PRIVATE_KEY"]
+        jwtkey = app.config["SSL_PRIVATE_KEY"]
         issued = datetime.datetime.now()
         request_data = {
             "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -56,7 +56,10 @@ def authorisation_code():
                 urlunparse(base_url),
                 url_for("oauth2.toplevel.authorisation_code")),
             "assertion": jwt.encode(
-                header={"alg": "RS256", "typ": "jwt", "kid": jwtkey.kid},
+                header={
+                    "alg": "RS256",
+                    "typ": "jwt",
+                    "kid": jwtkey.as_dict()["kid"]},
                 payload={
                     "iss": str(oauth2_clientid()),
                     "sub": request.args["user_id"],