Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No JWKS endpoint #2

Open
kkinder opened this issue Jan 20, 2020 · 8 comments
Open

No JWKS endpoint #2

kkinder opened this issue Jan 20, 2020 · 8 comments
Labels
enhancement New feature or request

Comments

@kkinder
Copy link

kkinder commented Jan 20, 2020

To my understanding, when implementing OIDC, you need a JWKS endpoint. (A discovery endpoint would also be pretty helpful). Perhaps I'm missing something, but this example doesn't seem to provide a way for the client to validate the bundled OIDC profile because there's no jwks endpoint.
@lepture lepture added the enhancement New feature or request label Aug 16, 2020
@dwt
Copy link

dwt commented Aug 13, 2021

I have successfully implemented a jwks_endpoint like this:

def load_public_keys():
    public_key_path = Path("etc") / "public.pem"
    public_key = JsonWebKey.import_key(public_key_path.read_bytes())
    public_key["use"] = "sig"
    public_key["alg"] = "RS256"    
    return KeySet([public_key])

@bp.route("/oauth/jwks")
def jwks_endpoint():
    return jsonify(load_public_keys().as_dict())

@lepture is this the right way to go about this? Is this something that can be added to the example code?

Maybe with auto generated keys on start-up? If they are delivered to the client via auto discovery, they do not need to be persistent, right?

@dwt
Copy link

dwt commented Aug 13, 2021
edited

Almost forgot, to actually use the private key for id_token generation, I needed this code:

JWT_CONFIG = {
    "key": "secret-key",
    "alg": "RS256",
    "iss": "https://example.com",
    "exp": 3600,
}
private_key_path = Path('etc') / 'private.pem'
private_key = JsonWebKey.import_key(private_key_path.read_text())
JWT_CONFIG['key'] = KeySet([private_key]).as_dict()

The last as_dict() took me about half a day to find out, and it is maybe not needed with the current master branch anymore (looks like it from the source code, but I haven't tried yet).

@dwt dwt mentioned this issue Aug 13, 2021
Open
@dwt
Copy link

dwt commented Oct 19, 2021

@lepture ping?

@lepture
Copy link
Member

lepture commented Oct 20, 2021

There is a way to generate the keys with Authlib. I’ll update it later.

@dwt
Copy link

dwt commented Oct 20, 2021

Generating the keys seems like a great idea, I would like persistence though.

It seems though, that otherwise every restart of the oidc server would require a restart of the consumer app too while working on it - if that is the case, persistence of the generated key would probably be wise. :-)

Other than that: Thanks!

@dwt
Copy link

dwt commented Oct 20, 2021

Also, this would go especially great with #11. :-)

@pserey
Copy link

pserey commented Jan 16, 2023

Hello! Any updates on this? I'm implementing an authorization server with authlib and had already done something like @dwt at this endpoint, but if there was something simpler with the use of authlib for generating keys it would be awesome!

@kamikaze
Copy link

any updates? is this project dead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kamikaze @dwt @lepture @kkinder @pserey