Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to manual JWT verification of ID token from IdP #138

Closed
4 tasks done
alyssadai opened this issue Nov 28, 2024 · 1 comment · Fixed by #139
Closed
4 tasks done

Switch to manual JWT verification of ID token from IdP #138

alyssadai opened this issue Nov 28, 2024 · 1 comment · Fixed by #139
Assignees
@alyssadai
Labels
released This issue/pull request has been released.

Comments

@alyssadai
Copy link
Contributor

alyssadai commented Nov 28, 2024
edited
Loading

Even for a trial implementation, we can no longer rely on Google as our IdP because we have discovered that the "testing" mode of our Google service API does not restrict login to the app (namely, access to the basic user info provided by default in the ID token) based on test user list as originally expected. See https://issuetracker.google.com/issues/211370835#comment68 for more info on this behaviour.

So, to be able to employ any kind of "user list" to restrict queries for now, we need to use a different IdP and more generic ID token verification method.

  • use PyJWT library (update requirements.txt)
  • obtain certificate URL for Google to send a request for public keys (fetched automatically with google_auth package)
  • decode and validate claims of JWT manually
  • remove google_auth from dependencies?
@alyssadai alyssadai self-assigned this Nov 28, 2024
@alyssadai alyssadai moved this to Implement - Active in Neurobagel Nov 28, 2024
@alyssadai alyssadai mentioned this issue Nov 28, 2024
Merged
7 tasks
@alyssadai alyssadai changed the title Switch to manual JWT verification of Google-issued ID token Switch to manual JWT verification of ID token from IdP Nov 29, 2024
@alyssadai alyssadai mentioned this issue Nov 29, 2024
Closed
4 tasks
@alyssadai alyssadai moved this from Implement - Active to Implement - Done in Neurobagel Nov 29, 2024
@surchs surchs moved this from Implement - Done to Review - Active in Neurobagel Nov 29, 2024
@github-project-automation github-project-automation bot moved this from Review - Active to Review - Done in Neurobagel Dec 2, 2024
@neurobagel-bot Neurobagel Bot
Copy link
Contributor

neurobagel-bot bot commented Dec 2, 2024

🚀 Issue was released in v0.4.3 🚀

@neurobagel-bot neurobagel-bot bot added the released This issue/pull request has been released. label Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alyssadai alyssadai

Labels
released This issue/pull request has been released.
Projects
Neurobagel
Status: Review - Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[REF] Manually verify ID token using PyJWT instead of google_auth neurobagel/federation-api
1 participant
@alyssadai