Skip to content

Commit

Permalink
feat: ⚡ automatically retrieve jwks
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomashbrnrd
thomashbrnrd committed Sep 24, 2024
1 parent 66627f9 commit cb16ce3
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 10 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/main-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,9 @@ jobs:
S3_BUCKET_NAME: basegun-s3
EMAIL_HOST: mailpit
EMAIL_PORT: 1025
OPENIDCONNECT_URL: https://token.actions.githubusercontent.com/.well-known/openid-configuration
OIDC_CONFIG_URL: https://token.actions.githubusercontent.com/.well-known/openid-configuration
OIDC_JWKS_URL: https://token.actions.githubusercontent.com/.well-known/jwks
OIDC_JWKS_KID: cc413527-173f-5a05-976e-9c52b1d7b431
steps:
- run: cd /app && pytest
services:
Expand Down
6 changes: 4 additions & 2 deletions backend/src/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import boto3
from fastapi.security import OpenIdConnect
from gelfformatter import GelfFormatter
from jwt import PyJWKClient

CURRENT_DIR = os.path.dirname(os.path.abspath(__file__))

Expand Down Expand Up @@ -127,6 +128,7 @@ def get_base_logs(user_agent, user_id: str) -> dict:
SMTPClient = SMTP(os.environ["EMAIL_HOST"], os.environ["EMAIL_PORT"])

# Authentication
PUBLIC_KEY = f"""-----BEGIN PUBLIC KEY-----\n{os.environ.get("PUBLIC_KEY")}\n-----END PUBLIC KEY-----"""
jwks_client = PyJWKClient(os.environ["OIDC_JWKS_URL"])
PUBLIC_KEY = jwks_client.get_signing_key(os.environ["OIDC_JWKS_KID"]).key

OAUTH2_SCHEME = OpenIdConnect(openIdConnectUrl=os.environ["OPENIDCONNECT_URL"])
OAUTH2_SCHEME = OpenIdConnect(openIdConnectUrl=os.environ["OIDC_CONFIG_URL"])
2 changes: 1 addition & 1 deletion backend/tests/test_auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

client = TestClient(app)

token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJvTlgya3hzM0RrdUJZNG9QY01LWnFiXzdWZVlfRmlXNEdrT1hIUjlBQkFBIn0.eyJleHAiOjE3MjU4OTM5NTcsImlhdCI6MTcyNTg5MDM1NywiYXV0aF90aW1lIjoxNzI1ODkwMzU2LCJqdGkiOiI3NjJiYzZkMy0yNWQ3LTRkMWYtYTdiYi04ZDA3MDBjOTVhZTgiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL2Jhc2VndW4iLCJzdWIiOiJmYjFjNjYyNC0wMDdhLTQ2NTUtYTRiYS1kZmU1NGE2ZWE2YTAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJiYXNlZ3VuIiwic2lkIjoiMzM4ZGY5YmEtYmY0Yy00MmE5LTliNjEtZmU2MGY4ZDcwOTg3IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjMwMDAiLCJodHRwOi8vbG9jYWxob3N0OjUxNzMiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVzZXIiXX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJuaWdlbmQiOiIxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaWRwIjoicHJveHltYSIsInNlcnZpY2UiOiJETlBBRiAvIFJPSVNTWSA5NSIsIm5hbWUiOiJKYW5lIERvZSIsInBob25lX251bWJlciI6IjAxMjM0NTY3ODkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJnZW5kYXJtZXJpZSIsImdpdmVuX25hbWUiOiJKYW5lIiwiZmFtaWx5X25hbWUiOiJEb2UiLCJlbWFpbCI6ImphbmUuZG9lQGdlbmRhcm1lcmllLmdvdXYuZnIifQ.pChWFGGPU8PKSJo0IKpExrVLUCH_zfnihDcXnTb7Vx_Tfto_JCB6JV7mSguTdz5p1ZA-wWLjbSsLBH8xZ8RnGshSuLORs3bWHFPKMSO_0xurWj8S1GwF3Lf6T4mPWpVfQahlB9HWcLvT9gJTMklTRLmoktqu5cKzuyy5PSzVZeZKTHgz3BcS6cN80_frujmZcDdB3Vjl6FeuFrvXkjQSaM3XvyfzeujAEoPg7VcGfBbm3lhpzNXBjuw86RdM5PtQLn3LS4yEbsmtCsztC5MNL70ctTK2eoq2cv7drXUVO1VfpMwKQVdKZDUvzs8ApziDtsUGJUeMb8O51u1SV6DPig"
token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiYXNlZ3VuIn0.eyJleHAiOjE3MjcxODk4NzcsImlhdCI6MTcyNzE4NjI3NywiYXV0aF90aW1lIjoxNzI3MTg2Mjc2LCJqdGkiOiIwNTA4YjNlNS1lMjg1LTRhNjctYTk0ZS02NmNlNzZkMDc2MjciLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL2Jhc2VndW4iLCJzdWIiOiI1YTBhYmM4Yi0zMzMzLTQyNzAtOWViMi05ZDc4ZGQ2MzIzZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJiYXNlZ3VuIiwic2lkIjoiNjhhMzE5OTMtMzcxZi00NDBiLWI5NjgtYjc1MDU0ZGVlMDdiIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjMwMDAiLCJodHRwOi8vbG9jYWxob3N0OjUxNzMiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVzZXIiXX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJuaWdlbmQiOiIxMjM0NTY3OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaWRwIjoicHJveHltYSIsInNlcnZpY2UiOiJETlBBRiAvIFJPSVNTWSA5NSIsIm5hbWUiOiJKYW5lIERvZSIsInBob25lX251bWJlciI6IjAxMjM0NTY3ODkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJnZW5kYXJtZXJpZSIsImZhbWlseV9uYW1lIjoiRG9lIiwiZmlyc3RfbmFtZSI6IkphbmUiLCJlbWFpbCI6ImphbmUuZG9lQGdlbmRhcm1lcmllLmdvdXYuZnIifQ.WQML9ujg31dsfJJhfuO5aisL3Mmp6LmmDcB7tXiR_bjdU-0SFKnKQN48ORPlZEtj-s1hlgR69UU4Z0whe5w1JUdNkgrocngjcGUNYueb4Z4kfIDBYExDE4y4UvLZ1vgUw3sDK1laRBI4fG_CAkUUNA85rTPIOaAlrhRYXyizX3mglwg-ibm6HUZjLelcZW2lkvdhOD-dlkNdPVywa0dOBh3Awhn3KS6At3GDlsf0v_JCNzS3p1i_XHIEYNai0jEBSOQjkjjF0FZtIDhN1Nl3mE6wtVs1s83PYaIGTLN29WqdZCudeVTrR3x1_RIkIEVEANUNJvE5QYsl6mRPDABdAA"


@pytest.mark.skip(reason="Cannot currently run in CI.")
Expand Down
6 changes: 4 additions & 2 deletions docker-compose.override.ci.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Override environment variables in CI to use dummy OIDC
# Override environment variables in CI to use dummy / github OIDC
services:
backend:
environment:
- OPENIDCONNECT_URL=https://token.actions.githubusercontent.com/.well-known/openid-configuration
- OIDC_CONFIG_URL=https://token.actions.githubusercontent.com/.well-known/openid-configuration
- OIDC_JWKS_URL=https://token.actions.githubusercontent.com/.well-known/jwks
- OIDC_JWKS_KID=cc413527-173f-5a05-976e-9c52b1d7b431
5 changes: 3 additions & 2 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@ services:
- AWS_SECRET_ACCESS_KEY=minioadmin
- EMAIL_HOST=mailpit
- EMAIL_PORT=1025
- OPENIDCONNECT_URL=http://localhost:8080/realms/basegun/.well-known/openid-configuration
- PUBLIC_KEY=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn3q/tTOfj8uSdts94MVVrYrtAZLUO//sNNagO2H6gia8LkbYf3eByA6FippkptQsgb3JxP1zczORcQ48Vck13QrjKcXVY4+usAddke9aB8nui3vaEO13lcAZo81H2lQyrbgYEC66Mz0SNgpQk4H3mHtu4zmy4HXzmn8WDC2s3iQ71Ly7OWIBZCjHPCGhaqq6YyNtp/2MXFBj9e58ixC72cmrUis5/MSTgq857mFZ1AXOMuimk0Xt2cTqT0OM13SeJLF8P8iGL0FIC9mKtZVIAR6kDF3T2lbAf9Dta6YzUiPAsrYAY0nGkOkazyfBJxS1FplkCZAhRAryO6J6D5KowIDAQAB
- OIDC_CONFIG_URL=http://localhost:8080/realms/basegun/.well-known/openid-configuration
- OIDC_JWKS_URL=http://keycloak:8080/realms/basegun/protocol/openid-connect/certs
- OIDC_JWKS_KID=basegun
ports:
- 5000:5000
volumes:
Expand Down
5 changes: 3 additions & 2 deletions keycloak/realm-export.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1288,7 +1288,7 @@
"user.attribute": "lastName",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "family_name",
"claim.name": "last_name",
"jsonType.label": "String"
}
},
Expand Down Expand Up @@ -1609,7 +1609,8 @@
"providerId": "rsa-generated",
"subComponents": {},
"config": {
"priority": ["100"]
"priority": ["100"],
"kid": ["basegun"]
}
}
]
Expand Down

0 comments on commit cb16ce3

Please sign in to comment.