aboutsummaryrefslogtreecommitdiff
path: root/gn2
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-08-01 12:33:12 -0500
committerAlexander_Kabui2024-08-28 15:02:46 +0300
commitde69de2d6570837ea47dba5d11308c56c8cd86fb (patch)
tree68f931e87b6f2a6032c8a47249559f4ff0a48480 /gn2
parenta9a8ef79a10c58a514d5aac0b2b1c9000a57f9f8 (diff)
downloadgenenetwork2-de69de2d6570837ea47dba5d11308c56c8cd86fb.tar.gz
Use auto-created and auto-rotated JSON Web Keys
Use auto-created JWKs for better security.
Diffstat (limited to 'gn2')
-rw-r--r--gn2/default_settings.py6
-rw-r--r--gn2/wqflask/oauth2/toplevel.py10
2 files changed, 13 insertions, 3 deletions
diff --git a/gn2/default_settings.py b/gn2/default_settings.py
index e781f196..ab15dbe9 100644
--- a/gn2/default_settings.py
+++ b/gn2/default_settings.py
@@ -120,3 +120,9 @@ OAUTH2_CLIENT_SECRET="yadabadaboo"
SESSION_TYPE = "redis"
SESSION_PERMANENT = True
SESSION_USE_SIGNER = True
+
+
+# BEGIN: JSON WEB KEYS #####
+JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use.
+JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it.
+# END: JSON WEB KEYS #####
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 210b0756..7ee0773d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -13,6 +13,7 @@ from flask import (flash,
render_template,
current_app as app)
+from . import jwks
from . import session
from .checks import require_oauth2
from .request_utils import user_details, process_error
@@ -34,7 +35,9 @@ def authorisation_code():
code = request.args.get("code", "")
if bool(code):
base_url = urlparse(request.base_url, scheme=request.scheme)
- jwtkey = app.config["SSL_PRIVATE_KEY"]
+ jwtkey = jwks.newest_jwk_with_rotation(
+ jwks.jwks_directory(app, "GN2_SECRETS"),
+ int(app.config["JWKS_ROTATION_AGE_DAYS"]))
issued = datetime.datetime.now()
request_data = {
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -81,7 +84,7 @@ def authorisation_code():
return redirect("/")
return no_token_post(
- "auth/token", json=request_data).either(
+ "auth/token", data=request_data).either(
lambda err: __error__(process_error(err)), __success__)
flash("AuthorisationError: No code was provided.", "alert-danger")
return redirect("/")
@@ -92,5 +95,6 @@ def public_jwks():
"""Provide endpoint that returns the public keys."""
return jsonify({
"documentation": "Returns a static key for the time being. This will change.",
- "jwks": KeySet([app.config["SSL_PRIVATE_KEY"]]).as_dict().get("keys")
+ "jwks": KeySet(jwks.list_jwks(
+ jwks.jwks_directory(app, "GN2_SECRETS"))).as_dict().get("keys")
})