Audience key in JWTs

.circleci/config.yml

@@ -102,6 +102,7 @@ executors:
         FLOWMACHINE_PORT: 5555
         FLOWDB_HOST: localhost
         JWT_SECRET_KEY: secret
+        FLOWAPI_IDENTIFIER: TEST_SERVER
     docker:
       - image: circleci/python:3.7
       - image: flowminder/flowdb-<<parameters.flowdb_image>>:$CIRCLE_SHA1
@@ -364,6 +365,7 @@ jobs:
       - image: circleci/python:3.7
     environment:
       JWT_SECRET_KEY: secret
+      FLOWAPI_IDENTIFIER: TEST_SERVER
     working_directory: /home/circleci/project/flowkit_jwt_generator
     steps:
       - checkout:
@@ -390,6 +392,8 @@ jobs:
   run_flowkit_api_tests:
     docker:
       - image: circleci/python:3.7
+        environment:
+          FLOWAPI_IDENTIFIER: TEST_SERVER
     working_directory: /home/circleci/project/flowapi
     steps:
       - checkout:
@@ -408,8 +412,10 @@ jobs:
     docker:
       - image: circleci/python:3.6
     environment:
+      &flowauth_env
       FLOWAUTH_FERNET_KEY: "XU-J5xNOtkaUKAoqWT7_VoT3zk2OTuoqKPBN3l0pOFg="
       FLASK_APP: flowauth
+      FLOWAPI_IDENTIFIER: TEST_SERVER
     working_directory: /home/circleci/project/flowauth
     steps:
       - checkout:
@@ -428,8 +434,7 @@ jobs:
     docker:
       - image: circleci/python:3.6
     environment:
-      FLOWAUTH_FERNET_KEY: "XU-J5xNOtkaUKAoqWT7_VoT3zk2OTuoqKPBN3l0pOFg="
-      FLASK_APP: flowauth
+      *flowauth_env
     working_directory: /home/circleci/project/flowauth
     steps:
       - checkout:

CHANGELOG.md

@@ -21,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
     - `db_host -> flowdb_host`
     - `db_connection_pool_size -> flowdb_connection_pool_size`
     - `db_connection_pool_overflow -> flowdb_connection_pool_overflow`
+- FlowAPI and FlowAuth now expect an audience key to be present in tokens [#727](https://github.com/Flowminder/FlowKit/issues/727)
 
 ### Fixed
 - FlowClient docs rendered to website now show the options available for arguments that require a string from some set of possibilities [#695](https://github.com/Flowminder/FlowKit/issues/695).

development_environment

@@ -29,6 +29,7 @@ FLOWAPI_LOG_LEVEL=debug
 # Flowmachine ZMQ host
 FLOWMACHINE_HOST=localhost
 FLOWAPI_PORT=9090
+FLOWAPI_IDENTIFIER=TEST_SERVER
 
 
 # Hostname to connect to flowdb

docs/notebook_preamble.py

@@ -47,4 +47,5 @@ def format_dict(x):
     secret_key=os.environ["JWT_SECRET_KEY"],
     lifetime=timedelta(days=1),
     claims=get_all_claims_from_flowapi(flowapi_url="http://localhost:9090"),
+    audience=os.environ["FLOWAPI_IDENTIFIER"],
 )

docs/source/install.md

@@ -222,6 +222,10 @@ The stack expects you to provide eight secrets:
  - JWT_SECRET_KEY
 
     The secret key used to sign API access tokens
+
+ - FLOWAPI_IDENTIFIER
+
+    The unique name of the FlowAPI server. Used to verify that a decoded token is intended for _this_ server.
 
 
 To make use of secrets you will need to use docker swarm. For testing purposes, you can set up a single node swarm by running `docker swarm init`.
@@ -240,7 +244,7 @@ docker secret create cert-flowkit.pem integration_tests/cert.pem
 
 (Note that unlike the other examples, we are supplying a _file_ rather than piping to stdin.)
 
-Once you have added all five required secrets, you can use `docker stack` to spin up FlowKit, much as you would `docker-compose`:
+Once you have added all the required secrets, you can use `docker stack` to spin up FlowKit, much as you would `docker-compose`:
 
 ```bash
 cd secrets_quickstart
@@ -257,15 +261,43 @@ conn = flowclient.Connection("https://localhost:9090", "JWT_STRING", ssl_certifi
 #### Secrets Quickstart
 
 ```bash
-cd secrets_quickstart
 docker login
 docker swarm init
+# Remove existing stack deployment
+echo "Removing existing secrets_test_stack"
+docker stack rm secrets_test
+# Wait for 'docker stack rm' to finish (see https://github.com/moby/moby/issues/30942)
+limit=15
+until [ -z "$(docker service ls --filter label=com.docker.stack.namespace=secrets_test -q)" ] || [ "$limit" -lt 0 ]; do
+  sleep 2
+  limit="$((limit-1))"
+done
+
+limit=15
+until [ -z "$(docker network ls --filter label=com.docker.stack.namespace=secrets_test -q)" ] || [ "$limit" -lt 0 ]; do
+  sleep 2
+  limit="$((limit-1))"
+done
+
+# Remove existing secrets
+echo "Removing existing secrets"
+docker secret rm FLOWMACHINE_FLOWDB_PASSWORD
+docker secret rm FLOWMACHINE_FLOWDB_USER
+docker secret rm FLOWAPI_FLOWDB_PASSWORD
+docker secret rm FLOWAPI_FLOWDB_USER
+docker secret rm POSTGRES_PASSWORD
+docker secret rm cert-flowkit.pem
+docker secret rm JWT_SECRET_KEY
+docker secret rm REDIS_PASSWORD
+docker secret rm FLOWAPI_IDENTIFIER
+echo "Adding secrets"
 openssl rand -base64 16 | tr -cd '0-9-a-z-A-Z' | docker secret create FLOWMACHINE_FLOWDB_PASSWORD -
 echo "flowmachine" | docker secret create FLOWMACHINE_FLOWDB_USER -
 echo "flowapi" | docker secret create FLOWAPI_FLOWDB_USER -
 openssl rand -base64 16 | tr -cd '0-9-a-z-A-Z' | docker secret create FLOWAPI_FLOWDB_PASSWORD -
 openssl rand -base64 16 | tr -cd '0-9-a-z-A-Z' | docker secret create POSTGRES_PASSWORD -
 openssl rand -base64 16 | tr -cd '0-9-a-z-A-Z' | docker secret create REDIS_PASSWORD -
+echo "flowapi_server" | docker secret create FLOWAPI_IDENTIFIER -
 openssl req -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/CN=flow.api" \
     -extensions SAN \
     -config <( cat $( [[ "Darwin" -eq "$(uname -s)" ]]  && echo /System/Library/OpenSSL/openssl.cnf || echo /etc/ssl/openssl.cnf  ) \
@@ -274,6 +306,7 @@ openssl req -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/CN=flow.api" \
 cat cert.key cert.pem > cert-flowkit.pem
 docker secret create cert-flowkit.pem cert-flowkit.pem
 echo "secret" | docker secret create JWT_SECRET_KEY -
+echo "Deploying stack"
 docker stack deploy --with-registry-auth -c docker-stack.yml secrets_test
 ```
 

flowapi/flowapi/config.py

@@ -43,11 +43,15 @@ def get_config():
     )
     flowdb_host = os.environ["FLOWDB_HOST"]
     flowdb_port = os.environ["FLOWDB_PORT"]
+    flowapi_server_id = getsecret(
+        "FLOWAPI_IDENTIFIER", os.environ["FLOWAPI_IDENTIFIER"]
+    )
 
     return dict(
         JWT_SECRET_KEY=jwt_secret_key,
         FLOWAPI_LOG_LEVEL=log_level,
         FLOWMACHINE_HOST=flowmachine_host,
         FLOWMACHINE_PORT=flowmachine_port,
         FLOWDB_DSN=f"postgres://{flowdb_user}:{flowdb_password}@{flowdb_host}:{flowdb_port}/flowdb",
+        JWT_DECODE_AUDIENCE=flowapi_server_id,
     )

flowapi/tests/unit/conftest.py

@@ -2,6 +2,7 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 import json
+import os
 from json import JSONDecodeError
 
 import asyncpg

flowauth/Pipfile

@@ -8,7 +8,7 @@ flask = "*"
 flask-sqlalchemy = "*"
 flask-login = "*"
 flask-principal = "*"
-flask-jwt-extended = "*"
+pyjwt = "*"
 flask-wtf =  "*"
 zxcvbn = "*"
 versioneer = "*"
@@ -21,6 +21,7 @@ cryptography = "*"
 pytest = "*"
 pytest-cov = "*"
 "flowauth" = {editable = true, path = "./backend"}
+flowkit-jwt-generator = {editable = true,path = "./../flowkit_jwt_generator"}
 
 [requires]
 python_version = "3.6"