Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement JWK (Set) fetching and publishing for other services #321

Open
golyalpha opened this issue Apr 18, 2020 · 3 comments
Open

Implement JWK (Set) fetching and publishing for other services #321

golyalpha opened this issue Apr 18, 2020 · 3 comments

Comments

@golyalpha
Copy link

golyalpha commented Apr 18, 2020
edited
Loading

Following a discussion on Discord:

Issue

Currently, multi-service setups require some kind of external method of synchronizing keys.

Proposed change

I propose an extension of this package that would allow it's users (the service developer) to specify a JWK_PROVIDER config key (JWK = JSON Web Key, hence JWK_PROVIDER), which the JWTManager.decode_key_loader method would use to fetch JWKs/JWK Sets from in order to verify JWTs issued by another service (think microservices where one is the service "useful" to it's users, and another is responsible for making sure the user is who they claim they are, or potentially a 3rd party verifies users, like Auth0, and I have to make sure that Auth0 has in fact verified the user in my own app).

Possible implementation

The implementation would likely entail:

  • Adding JWK_PROVIDER configuration key to documentataion
  • Extending JWTManager.decode_key_loader to handle JWT_SECRET_KEY or JWT_PUBLIC_KEY not being defined by requesting a JWK (Set) from the provider specified in JWK_PROVIDER
  • Adding a /jwks endpoint which would expose public(!) keys

Note:
If the received JWT is using a symmetric key, but no secret key is defined, we should make the request fail even if JWK_PROVIDER is defined as this mechanism should not be used to exchange secret keys.

What can potentially be included, but is not as necessary at this moment:

  • Allow for keys to be defined in JWT_*_KEY configuration keys as key string, JWK or JWK Set
  • Allow for JWK_PROVIDER to be only a hostname, adding the HTTPS protocol and the /jwks endpoint ourselves.

Topics to discuss

  • Should we merge JWT_*_KEY and JWK_PROVIDER config keys into a single config key?
  • What should we name the JWK_PROVIDER key or the merged key, if we decide to do so.
  • What should the endpoint exposing public keys be called.

Further reading

RFC 7571 - Introduces JWKs and JWK Sets: https://tools.ietf.org/html/rfc7517
NGINX JWT Auth module documentation: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/
@aldo-o
Copy link

aldo-o commented Jun 24, 2021

Any update on this?

@vimalloc
Copy link
Owner

Nothing at this time. I do agree this is a good idea and would be cool to have some first class support built into this extension, but I don't have the time to work on it right now. I'll keep it on the backburner for when things calm down, or if anyone else wants to take a stab at it pull requests are always welcome! 👍

@vimalloc vimalloc mentioned this issue Feb 11, 2022
Closed
@anneclairelh
Copy link

Any update on this ? This would be very useful for integrating Flask APIs with Auth0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vimalloc @aldo-o @golyalpha @anneclairelh