pubkey stuff

asadduser.py

@@ -39,7 +39,7 @@ try:
 
     cur = conn.cursor()
     cur.execute("""
-INSERT INTO users (login, password)
+INSERT INTO users (login, pwhash)
   VALUES(?, ?)
 """, [user, pwhash])
     cur.execute("""

auth.py

@@ -13,7 +13,9 @@ DB_HOST = os.environ["DB_HOST"]
 DB_NAME = os.environ["DB_NAME"]
 
 JWT_ISSUER = os.environ["JWT_ISSUER"]
-JWT_SECRET = os.environ["JWT_SECRET"]
+
+
+
 
 
 class NoUserException(Exception): 
@@ -28,6 +30,13 @@ class PasswordMismatchException(Exception):
 
 UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims'])
 
+JWT_PRIV_KEY = ""
+with open('/opt/app/config/authservice.key', 'r') as f:
+    JWT_PRIV_KEY = f.read().replace('\n','')
+
+JWT_PUB_KEY = ""
+with open('/opt/app/config/authservice.pub', 'r') as f:
+    JWT_PUB_KEY = f.read().replace('\n','')
 
 
 def getUserEntryFromDB(application: str, login: str):
@@ -57,7 +66,7 @@ def getUserEntryFromDB(application: str, login: str):
         for claimObj in cur:
             print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"]))
             if claimObj["key"] in claims:
-                if isinstance(claimObj["key"], list):
+                if isinstance(claims[claimObj["key"]], list):
                     claims[claimObj["key"]].append(claimObj["value"])
                 else:
                     claims[claimObj["key"]] = [ claims[claimObj["key"]] ]
@@ -101,9 +110,9 @@ def generateToken(**args):
         }
         for claim in userEntry.claims.items():
             # print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))
-            payload["x-{}".format(claim[0])] = claim[1]
+            payload[claim[0]] = claim[1]
 
-        return jwt.encode(payload, JWT_ISSUER)
+        return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
     except NoUserException:
         print("ERROR: generateToken: no user found, login or application wrong")
         raise werkzeug.exceptions.Unauthorized()
@@ -119,3 +128,6 @@ def generateToken(**args):
     except Exception as e:
         print("ERROR: generateToken: unspecific exception: {}".format(str(e)))
         raise werkzeug.exceptions.Unauthorized()
+
+def getPubKey():
+    return JWT_PUB_KEY

openapi.yaml

@@ -35,6 +35,19 @@ paths:
                 type: string
       security:
       - jwt: ['secret']
+  /pubkey:
+    get:
+      tags: [ "JWT" ]
+      summary: Get the public key of this issuer
+      operationId: auth.getPubKey
+      responses:
+        '200':
+          description: public key
+          content:
+            'text/plain':
+              schema:
+                type: string
+
 
 components:
   securitySchemes:

readme.md

@@ -0,0 +1,13 @@
+Generate the RSA key pair using:
+
+
+Private key (keep it secret!):
+
+   openssl genrsa -out authservice.key 2048
+
+
+Extract the public key (publish it):
+
+   openssl rsa -in authservice.pem -outform PEM -pubout -out authservice.pub
+
+

server.py

@@ -3,7 +3,7 @@ from flask_cors import CORS
 
 # instantiate the webservice
 app = connexion.App(__name__)
-app.add_api('openapi.yaml', options = {"swagger_ui": False})
+app.add_api('openapi.yaml', options = {"swagger_ui": True})
 
 # CORSify it - otherwise Angular won't accept it
 CORS(app.app)