Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update LMS private key JWKs to prepare for pyjwkest removal #261

Closed
14 tasks done
timmc-edx opened this issue Apr 4, 2023 · 5 comments
Closed
14 tasks done

Update LMS private key JWKs to prepare for pyjwkest removal #261

timmc-edx opened this issue Apr 4, 2023 · 5 comments
Assignees
@rgraber @timmc-edx

Comments

@timmc-edx
Copy link
Member

timmc-edx commented Apr 4, 2023
edited
Loading

As part of openedx/edx-drf-extensions#290 we need to update our JWKs to be forward-compatible with PyJWT, which requires that either all optional params are present in an RSA JWK, or none are. (With pyjwkest, we've been able to get away with having a partial list of these precomputed values.)

In openedx/edx-platform#31927 we determined that the likely least-friction method of upgrading is to update the private keys in-place to include all of the precomputed private numbers:
@timmc-edx timmc-edx converted this from a draft issue Apr 4, 2023
@timmc-edx timmc-edx removed the status in Arch-BOM Apr 4, 2023
@timmc-edx timmc-edx mentioned this issue Apr 4, 2023
Merged
@jmbowman jmbowman moved this to Prioritized in Arch-BOM Apr 4, 2023
@timmc-edx timmc-edx moved this from Prioritized to In Progress in Arch-BOM Apr 4, 2023
timmc-edx added a commit to openedx/edx-drf-extensions that referenced this issue Apr 5, 2023
@timmc-edx
feat: Add JWT key-set size custom attribute to aid in key rotations
11b3d05 
Part of edx/edx-arch-experiments#261
@timmc-edx timmc-edx mentioned this issue Apr 5, 2023
Merged
4 tasks
timmc-edx added a commit to openedx/edx-drf-extensions that referenced this issue Apr 5, 2023
@timmc-edx
feat: Add JWT key-set size custom attribute to aid in key rotations (#…
6049067 
…317)

Part of edx/edx-arch-experiments#261
@timmc-edx timmc-edx self-assigned this Apr 5, 2023
@robrap
Copy link
Contributor

robrap commented Apr 17, 2023

@rgraber may be able to help @timmc-edx as eSRE.

@rgraber
Copy link
Contributor

rgraber commented Apr 17, 2023
edited
Loading

Yes, I can do this. I ran it by SRE just to be sure and they told me to go for it.

@rgraber
Copy link
Contributor

rgraber commented Apr 18, 2023

@timmc-edx am I correct in assuming I should also do this for sandboxes?

@rgraber rgraber moved this from In Progress to Blocked in Arch-BOM Apr 19, 2023
@rgraber
Copy link
Contributor

rgraber commented Apr 19, 2023

We have decided to update the key rather than roll it since it requires less e/SRE intervention. This is blocked on getting the decrypted private key from SRE, who have it in their sprint.

@rgraber rgraber moved this from Blocked to In Progress in Arch-BOM Apr 20, 2023
@timmc-edx timmc-edx changed the title Roll LMS JWKs to prepare for pyjwkest removal Update LMS private key JWKs to prepare for pyjwkest removal Apr 24, 2023
@rgraber
Copy link
Contributor

rgraber commented Apr 25, 2023
edited
Loading

Follow up ticket for updating generate_jwt_signing_key is openedx/edx-platform#32125 . Sandboxes use this to generate keys on provisioning, so updating the script should update sandboxes as well.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Arch-BOM May 9, 2023
@timmc-edx timmc-edx mentioned this issue May 23, 2023
Open
@timmc-edx timmc-edx mentioned this issue Oct 17, 2023
Merged
6 tasks
@jristau1984 jristau1984 moved this from Done to Done - Long Term Storage in Arch-BOM Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rgraber rgraber

@timmc-edx timmc-edx

Labels
None yet
Projects
Arch-BOM
Status: Done - Long Term Storage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rgraber @robrap @timmc-edx