add application as aud in token

fix
message
2021-05-07 14:40:40 +02:00 · 2021-05-07 14:06:18 +02:00 · 2021-05-07 14:05:57 +02:00 · 2021-05-07 13:28:12 +02:00 · 2021-05-07 12:24:59 +02:00 · 2021-05-07 12:15:30 +02:00
4 changed files with 83 additions and 6 deletions
--- a/auth.py
+++ b/auth.py
@ -13,7 +13,9 @@ DB_HOST = os.environ["DB_HOST"]
 DB_NAME = os.environ["DB_NAME"]

 JWT_ISSUER = os.environ["JWT_ISSUER"]
-JWT_SECRET = os.environ["JWT_SECRET"]
+
+
+


 class NoUserException(Exception): 
@ -29,6 +31,20 @@ class PasswordMismatchException(Exception):
 UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims'])


+JWT_PRIV_KEY = ""
+try:
+    JWT_PRIV_KEY = os.environ["JWT_PRIV_KEY"]
+except KeyError:
+    with open('/opt/app/config/authservice.key', 'r') as f:
+        JWT_PRIV_KEY = f.read()
+
+JWT_PUB_KEY = ""
+try:
+    JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
+except KeyError:
+    with open('/opt/app/config/authservice.pub', 'r') as f:
+        JWT_PUB_KEY = f.read()
+

 def getUserEntryFromDB(application: str, login: str):
    conn = None
@ -57,7 +73,7 @@ def getUserEntryFromDB(application: str, login: str):
        for claimObj in cur:
            print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"]))
            if claimObj["key"] in claims:
-                if isinstance(claimObj["key"], list):
+                if isinstance(claims[claimObj["key"]], list):
                    claims[claimObj["key"]].append(claimObj["value"])
                else:
                    claims[claimObj["key"]] = [ claims[claimObj["key"]] ]
@ -97,13 +113,14 @@ def generateToken(**args):
            "iss": JWT_ISSUER,
            "iat": int(timestamp),
            "exp": int(timestamp + userEntry.expiry),
-            "sub": str(userEntry.id)
+            "sub": str(userEntry.id),
+            "aud": application
        }
        for claim in userEntry.claims.items():
            # print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))
-            payload["x-{}".format(claim[0])] = claim[1]
+            payload[claim[0]] = claim[1]

-        return jwt.encode(payload, JWT_SECRET)
+        return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
    except NoUserException:
        print("ERROR: generateToken: no user found, login or application wrong")
        raise werkzeug.exceptions.Unauthorized()
@ -119,3 +136,11 @@ def generateToken(**args):
    except Exception as e:
        print("ERROR: generateToken: unspecific exception: {}".format(str(e)))
        raise werkzeug.exceptions.Unauthorized()
+
+def generateTokenFromEnc(**args):
+    cryptContent = args["body"]
+    raise werkzeug.exceptions.NotImplemented("Stay tuned, will be added soon")
+    return str(cryptContent)
+
+def getPubKey():
+    return JWT_PUB_KEY
--- a/openapi.yaml
+++ b/openapi.yaml
@ -7,7 +7,7 @@ paths:
  /auth:
    post:
      tags: [ "JWT" ]
-      summary: Return JWT token
+      summary: Accept login and password, return JWT token
      operationId: auth.generateToken
      requestBody:
        content:
@ -21,6 +21,23 @@ paths:
            'text/plain':
              schema:
                type: string
+  /authe:
+    post:
+      tags: [ "JWT" ]
+      summary: Accept encrypted set of credentials, return JWT token 
+      operationId: auth.generateTokenFromEnc
+      requestBody:
+        content:
+          'text/plain':
+            schema:
+              type: string
+      responses:
+        '200':
+          description: JWT token
+          content:
+            'text/plain':
+              schema:
+                type: string
  /secret:
    get:
      tags: [ "JWT" ]
@ -35,6 +52,19 @@ paths:
                type: string
      security:
      - jwt: ['secret']
+  /pubkey:
+    get:
+      tags: [ "JWT" ]
+      summary: Get the public key of this issuer
+      operationId: auth.getPubKey
+      responses:
+        '200':
+          description: public key
+          content:
+            'text/plain':
+              schema:
+                type: string
+

 components:
  securitySchemes:
--- a/readme.md
+++ b/readme.md
@ -0,0 +1,13 @@
+Generate the RSA key pair using:
+
+
+Private key (keep it secret!):
+
+   openssl genrsa -out authservice.key 2048
+
+
+Extract the public key (publish it):
+
+   openssl rsa -in authservice.pem -outform PEM -pubout -out authservice.pub
+
+
--- a/testjwe.py
+++ b/testjwe.py
@ -0,0 +1,9 @@
+from jose import jwe
+
+
+JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
+
+plainText = "BlaBlaBla123"
+cryptText = jwe.encrypt(plainText, JWT_PUB_KEY, "A256GCM", "RSA-OAEP")
+
+print(cryptText)
Author	SHA1	Message	Date
Wolfgang Hottgenroth	c7dbaeabbb	add application as aud in token	2021-05-07 14:40:40 +02:00
Wolfgang Hottgenroth	0911a73085	fix	2021-05-07 14:06:18 +02:00
Wolfgang Hottgenroth	1de73e99e3	message	2021-05-07 14:05:57 +02:00
Wolfgang Hottgenroth	b44af0658a	jwe	2021-05-07 13:28:12 +02:00
Wolfgang Hottgenroth	309b4c6ba8	authe	2021-05-07 12:24:59 +02:00
Wolfgang Hottgenroth	a921fb6a0f	changes	2021-05-07 12:15:30 +02:00
Wolfgang Hottgenroth	f56db65012	pubkey stuff, remove debug	2021-05-06 16:55:39 +02:00
Wolfgang Hottgenroth	ef0793be4e	pubkey stuff	2021-05-06 16:52:16 +02:00
Wolfgang Hottgenroth	3f2442e259	pubkey stuff	2021-05-06 16:50:17 +02:00
Wolfgang Hottgenroth	78439a7ed8	pubkey stuff	2021-05-06 16:46:19 +02:00
Wolfgang Hottgenroth	0377278ea0	pubkey stuff	2021-05-06 16:37:32 +02:00
Wolfgang Hottgenroth	49e8aa43b4	use rs256	2021-05-06 15:42:46 +02:00
Wolfgang Hottgenroth	35a997774f	fix in claims handling	2021-05-06 15:22:43 +02:00
Wolfgang Hottgenroth	08734cb82c	remove x from private claims	2021-01-27 13:31:34 +01:00