(PXP-6339): Fetch and cache public keys for JWT validation #52

vpsx · 2021-05-19T19:13:03Z

Jira Ticket: PXP-6339

Facilitate validation of JWTs from non-Gen3 issuers by adding ability to fetch and cache a JWK set from a non-Gen3 server. Authutils will first look for a jwks_uri at .well-known/openid-configuration and fall back to the legacy Gen3 /jwt/keys endpoint. Keys are serialized to PEM and stored (as before) in flask.current_app.jwt_public_keys.

Account for JWTs in which the scope claim is a space-delimited string (use split instead of just putting scope value in list). We expect RAS visas/all GA4GH embedded tokens to have scope claims with this format.

github-actions · 2021-05-19T19:13:57Z

The style in this PR agrees with black. ✔️

This formatting comment was generated automatically by a script in uc-cdis/wool.

vpsx added 6 commits April 30, 2021 16:51

fix(jwks-uri): get jwks_uri from .well-known md doc if avbl

7ae5748

fix(jwks-uri): make return statement neater, add comment, blacken

bc634f0

fix(jwks-uri): serialize and cache generic public keys

d4bb6a3

fix(scope-validation): split space-delimited scope strings

b90a10e

fix(jwks-uri): handle errors when well-known endpt not avbl

467dbf3

test(jwks-uri): Fix call count assertion

e5ed3ea

Avantol13 approved these changes May 21, 2021

View reviewed changes

vpsx merged commit 7b1d7f5 into master May 26, 2021

vpsx deleted the fix/jwks-uri branch June 1, 2021 15:46

paulineribeyre mentioned this pull request Jun 27, 2022

Fix parsing of PEM and RSA keys #65

Merged

Provide feedback