about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--gn2/default_settings.py6
-rw-r--r--gn2/wqflask/oauth2/toplevel.py10
2 files changed, 13 insertions, 3 deletions
diff --git a/gn2/default_settings.py b/gn2/default_settings.py
index e781f196..ab15dbe9 100644
--- a/gn2/default_settings.py
+++ b/gn2/default_settings.py
@@ -120,3 +120,9 @@ OAUTH2_CLIENT_SECRET="yadabadaboo"
 SESSION_TYPE = "redis"
 SESSION_PERMANENT = True
 SESSION_USE_SIGNER = True
+
+
+# BEGIN: JSON WEB KEYS #####
+JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use.
+JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it.
+# END: JSON WEB KEYS #####
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 210b0756..7ee0773d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -13,6 +13,7 @@ from flask import (flash,
                    render_template,
                    current_app as app)
 
+from . import jwks
 from . import session
 from .checks import require_oauth2
 from .request_utils import user_details, process_error
@@ -34,7 +35,9 @@ def authorisation_code():
     code = request.args.get("code", "")
     if bool(code):
         base_url = urlparse(request.base_url, scheme=request.scheme)
-        jwtkey = app.config["SSL_PRIVATE_KEY"]
+        jwtkey = jwks.newest_jwk_with_rotation(
+            jwks.jwks_directory(app, "GN2_SECRETS"),
+            int(app.config["JWKS_ROTATION_AGE_DAYS"]))
         issued = datetime.datetime.now()
         request_data = {
             "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -81,7 +84,7 @@ def authorisation_code():
             return redirect("/")
 
         return no_token_post(
-            "auth/token", json=request_data).either(
+            "auth/token", data=request_data).either(
                 lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
@@ -92,5 +95,6 @@ def public_jwks():
     """Provide endpoint that returns the public keys."""
     return jsonify({
         "documentation": "Returns a static key for the time being. This will change.",
-        "jwks": KeySet([app.config["SSL_PRIVATE_KEY"]]).as_dict().get("keys")
+        "jwks": KeySet(jwks.list_jwks(
+            jwks.jwks_directory(app, "GN2_SECRETS"))).as_dict().get("keys")
     })
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-10-07 07:08:27 +0000