[auth] Add JWT Signing #1871
Comments
humphd
added
type: enhancement
|
Looking into this: |
|
Working on this right now. Wondering if you could clear up a few questions I have regarding this issue. I've written the code to sign and verify the tokens with the RSA algorithm to use public and private keys and the e2e tests seem to work (JWT.io link) Currently trying to figure out how to generate and store the keys. One question I have though, is do we generate a new public/private key pair everytime a use logs in/ register? My understanding is that we'll have a fixed value of the pair, keeping the private key in a concealed place(environment variable?) and the public key is shared for verifying the JWTs. As for generation, I used a website to generate (there are a couple) the private/public keys. Would appreciate your (and anyone else's) advice on this, still learning about JWTs cc @humphd |
|
We'll need to generate a bunch of new key pairs for development, staging, production. We'd pass these in via env variables, so your code can expect to read them from We'll also need to expose a JWKS endpoint on our sso (formerly auth) server, so all the miroservices can get the signing keys to validate the signed tokens they receive. This bit can be done behind the scenes in Satellite, so microservices don't have to worry about it. |
|
In Satellite we do it here https://github.com/Seneca-CDOT/satellite/blob/3b0833360a91527df2fac7726fee806d289e8588/src/service-token.js#L19, and we need to upgrade this to use something like https://github.com/auth0/node-jwks-rsa/tree/61b5740b3846f74fa6d631be6712405700d9c163/examples/express-demo |
|
https://sometimes-react.medium.com/jwks-and-node-jose-9273f89f9a02 is useful, as is https://github.com/DinoChiesa/Apigee-JWT-with-JWKS (see his video explanation). NOTE: because all of our microservices are run together, we could also share this via env variables too vs. having them download via a URI. |
|
thanks for the references, their really informative. But I still haven't fully grasped JWKS endpoints and Satellite fully just yet. So we need to expose an endpoint on our sso server like "/auth/jwks" so that our microservices can grab a JWKS to use to authenticate their JWTs. Versus the alternative which is to put the keys in an env variable. If we use the first approach, we'd change the Satellite.isAuthenticated() method to be like the example you mentioned above where it grabs the JWKS from the sso server endpoint. Then passes the signing keys back to the microservices to use to validate. The alternative is just to share the key via env variable and make the changes in Satellite.isAuthenticated() to verify with the key. But that's all in satellite's area. So the changes in our SSO service would include modifying the JWT to be signed with private keys, and add the endpoint to give out the JWKS. Please correct me where I'm wrong. |
|
You've got it. The sso service will sign the JWTs, and also have an endpoint for getting the JWKS. The Satellite code will be updated with middleware to automatically do the verification step using the key it downloads from the sso service (on startup). Almost all of this will be invisible and automatic inside Satellite. |
|
I'm going to call this "done" based on @joelazwar's work in #2957. We can file more as we go. |
We need to include JWT signing so our tokens can be verified with a public key. Right now we only use a secret from the env. We'll have to figure out how to generate, store, and pass the public/private keys into the container from staging/prod, similar to what we do now with certs for SSL and nginx.
The text was updated successfully, but these errors were encountered: