Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWKS demo #63

Merged
merged 5 commits into from
Aug 23, 2023
Merged

JWKS demo #63

merged 5 commits into from
Aug 23, 2023

Conversation

kevinwallimann
Copy link
Collaborator

@kevinwallimann kevinwallimann commented Aug 22, 2023
edited
Loading

Closes #62

This is just a draft to demonstrate the JWKS endpoint for the public key. JWKS is a standard defined in https://datatracker.ietf.org/doc/html/rfc7517 and is implemented e.g. by
org.springframework.boot:spring-boot-starter-oauth2-resource-server. Resource servers can just add this dependency instead of implementing fetching and parsing the endpoint themselves. Instead, it's just one line of application configuration, i.e.

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:9090/token/public-key-jwks

and a few lines in the security configuration (which you need for any JWT security)

Problems

The following issues need to be discussed before merging

@github-actions
Copy link

github-actions bot commented Aug 22, 2023
edited
Loading

JaCoCo code coverage report - scala:2.12.17

File Coverage [92.25%] 🍏
TokenController.scala 100% 🍏
SecurityConfig.scala 100% 🍏
JWTService.scala 84.62% 🍏
Total Project Coverage 75.52% 🍏

@jakipatryk
Copy link
Collaborator

Instead, it's just one line of application configuration, i.e.
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:9090/token/public-key-jwks

Does it support JWKS refresh out of the box? If yes, how often does it do that?

@kevinwallimann
Copy link
Collaborator Author

Instead, it's just one line of application configuration, i.e.
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:9090/token/public-key-jwks

Does it support JWKS refresh out of the box? If yes, how often does it do that?

Excellent question! It is refreshed every 5 mins, see https://bitbucket.org/connect2id/nimbus-jose-jwt/src/9.24.4/src/main/java/com/nimbusds/jose/jwk/source/DefaultJWKSetCache.java

I've just tried it out myself

@dk1844
Copy link
Collaborator

dk1844 commented Aug 22, 2023
edited
Loading

I looked it over and I agree that it would be useful to have as an addition.
It is a pity that jjwt do not have it in release right now, based on some of their information and the state of the milestone, it might be "soon".

I don't mind the Nimbus JOSE JWT library that much, considering we are hopefully looking forward to replacing it eventually.
@kevinwallimann, if you feel like finishing this, be my guest; if you don't want to or don't have time, we could do it, I hope.

I have created a small update on @kevinwallimann's work in #64

I have tried it to the point that the new endpoint at /token/public-key-jwks generates the key, but I have not tried to use it further.

@kevinwallimann kevinwallimann marked this pull request as ready for review August 22, 2023 15:09
dk1844
dk1844 approved these changes Aug 23, 2023
View reviewed changes
Copy link
Collaborator

@dk1844 dk1844 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, checked out, ran tests this time.

service/src/test/scala/za/co/absa/loginsvc/rest/service/JWTServiceTest.scala Outdated Show resolved Hide resolved
kevinwallimann and others added 3 commits August 23, 2023 09:21
@kevinwallimann @dk1844
Update service/src/test/scala/za/co/absa/loginsvc/rest/service/JWTSer…
8490769 
…viceTest.scala

Co-authored-by: Daniel K <[email protected]>
@dk1844
Feature/jwks kid (#64)
526c256 
* jwks: kid added

* jwks: kid test added

* jwks: kid changed to be a public rsakey thumprint
@kevinwallimann
remove static val kid (#66)
9e0b75b
@kevinwallimann kevinwallimann merged commit 07fd00e into master Aug 23, 2023
3 checks passed
@kevinwallimann kevinwallimann deleted the feature/jwks branch August 23, 2023 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dk1844 dk1844 dk1844 approved these changes

@TheLydonKing TheLydonKing Awaiting requested review from TheLydonKing

@johannavanstaden johannavanstaden Awaiting requested review from johannavanstaden

@jakipatryk jakipatryk Awaiting requested review from jakipatryk jakipatryk is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

supporting the JWKS format for the public key in the login service
3 participants
@kevinwallimann @jakipatryk @dk1844