example-oidc-server icon indicating copy to clipboard operation
example-oidc-server copied to clipboard

Published 20 hours ago verified publisher icon authlib

No JWKS endpoint

Open kkinder opened this issue 5 years ago • 8 comments

To my understanding, when implementing OIDC, you need a JWKS endpoint. (A discovery endpoint would also be pretty helpful). Perhaps I'm missing something, but this example doesn't seem to provide a way for the client to validate the bundled OIDC profile because there's no jwks endpoint.

kkinder avatar Jan 20 '20 12:01 kkinder

I have successfully implemented a jwks_endpoint like this:

def load_public_keys():
    public_key_path = Path("etc") / "public.pem"
    public_key = JsonWebKey.import_key(public_key_path.read_bytes())
    public_key["use"] = "sig"
    public_key["alg"] = "RS256"    
    return KeySet([public_key])

@bp.route("/oauth/jwks")
def jwks_endpoint():
    return jsonify(load_public_keys().as_dict())

@lepture is this the right way to go about this? Is this something that can be added to the example code?

Maybe with auto generated keys on start-up? If they are delivered to the client via auto discovery, they do not need to be persistent, right?

dwt avatar Aug 13 '21 13:08 dwt

Almost forgot, to actually use the private key for id_token generation, I needed this code:

JWT_CONFIG = {
    "key": "secret-key",
    "alg": "RS256",
    "iss": "https://example.com",
    "exp": 3600,
}
private_key_path = Path('etc') / 'private.pem'
private_key = JsonWebKey.import_key(private_key_path.read_text())
JWT_CONFIG['key'] = KeySet([private_key]).as_dict()

The last as_dict() took me about half a day to find out, and it is maybe not needed with the current master branch anymore (looks like it from the source code, but I haven't tried yet).

dwt avatar Aug 13 '21 13:08 dwt

@lepture ping?

dwt avatar Oct 19 '21 07:10 dwt

There is a way to generate the keys with Authlib. I’ll update it later.

lepture avatar Oct 20 '21 02:10 lepture

Generating the keys seems like a great idea, I would like persistence though.

It seems though, that otherwise every restart of the oidc server would require a restart of the consumer app too while working on it - if that is the case, persistence of the generated key would probably be wise. :-)

Other than that: Thanks!

dwt avatar Oct 20 '21 07:10 dwt

Also, this would go especially great with #11. :-)

dwt avatar Oct 20 '21 07:10 dwt

Hello! Any updates on this? I'm implementing an authorization server with authlib and had already done something like @dwt at this endpoint, but if there was something simpler with the use of authlib for generating keys it would be awesome!

pserey avatar Jan 16 '23 18:01 pserey

any updates? is this project dead?

kamikaze avatar Dec 11 '23 19:12 kamikaze