Revert "Merge pull request #3 from fixthestatusquo/master"

This reverts commit f74afcc, reversing changes made to 4e790a5. This change had some breaking changes - It changes the required_claims in the JWT - The `if SiteSetting.jwt_jwks_url` check should be `if SiteSetting.jwt_jwks_url.present?`, to account for empty strings (the default)
discourse · Sep 16, 2020 · 0981204 · 0981204
1 parent f74afcc
commit 0981204
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 46 deletions.
diff --git a/README.md b/README.md
@@ -4,31 +4,17 @@ A Discourse Plugin to enable authentication via JSON Web Tokens (JWT).
 
 In the first instance, consider using Discourse's [OpenID Connect](https://meta.discourse.org/t/openid-connect-authentication-plugin/103632) or [OAuth2](https://meta.discourse.org/t/oauth2-basic-support/33879) plugins. These authentication standards are more mature, and include more security features.
 
-### Shared secret vs public keys
-
-JWT tokens can be verified using a shared secret or a public key. When in shared secret mode, the token consumer needs to know the secret used to sign the token by token issuer. Set this token using `jwt_secret` option.
-In public key mode, verification step will use a public keys in JWKS format, wich are published by the issuer (eg. under https://example.com/.well-known/jwks.json address). Set this url in `jwt_jwks_url** option.
-
 ### Configuration
 
-This plugin provides three site settings for configuration. You must provide either three in your admin panel for the authentication to work correctly:
-
-Shared secret mode:
+This plugin provides three site settings for configuration. You must provide all three in your admin panel for the authentication to work correctly:
 
 - `jwt_enabled`
 - `jwt_secret`
 - `jwt_auth_url`
 
-Public key (JWKS) mode:
-
-- `jwt_enabled`
-- `jwt_jwks_url`
-- `jwt_auth_url`
-
 Alternatively, you can supply values for these settings via environment variables. Add the following settings to your `app.yml` file in the `env` section:
 
 - `DISCOURSE_JWT_SECRET`
-- `DISCOURSE_JWKS_URL`
 - `DISCOURSE_JWT_AUTH_URL`
 
 ### License

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -2,5 +2,4 @@ en:
   site_settings:
     jwt_enabled: Enable JWT authentication. Customize user interface text <a href='%{base_path}/admin/customize/site_texts?q=js.login.jwt'>here</a>
     jwt_secret: JWT Secret
-    jwt_auth_url: URL which users will be redirected to for authentication
-    jwt_jwks_url: URL with JWKS.json (JWT public keys)
+    jwt_auth_url: URL which users will be redirected to for authentication
diff --git a/config/settings.yml b/config/settings.yml
@@ -1,5 +1,4 @@
 plugins:
   jwt_enabled: false
   jwt_secret: ""
-  jwt_auth_url: ""
-  jwt_jwks_url: ""
+  jwt_auth_url: ""
diff --git a/plugin.rb b/plugin.rb
@@ -7,8 +7,6 @@
 gem "discourse-omniauth-jwt", "0.0.2", require: false
 
 require 'omniauth/jwt'
-require 'net/http'
-require 'json'
 
 class JWTAuthenticator < Auth::ManagedAuthenticator
   def name
@@ -19,12 +17,11 @@ def register_middleware(omniauth)
     omniauth.provider :jwt,
                       name: 'jwt',
                       uid_claim: 'id',
-                      required_claims: ['email', 'first_name', 'last_name'],
+                      required_claims: ['id', 'email', 'name'],
                       setup: lambda { |env|
                         opts = env['omniauth.strategy'].options
                         opts[:secret] = SiteSetting.jwt_secret
                         opts[:auth_url] = SiteSetting.jwt_auth_url
-                        opts[:jwks_loader] = make_jwks_loader
                       }
   end
 
@@ -33,29 +30,6 @@ def enabled?
     # When this plugin used only global settings, there was no separate enable setting
     SiteSetting.jwt_enabled || GlobalSetting.try(:jwt_auth_url)
   end
-
-  private
-
-  def make_jwks_loader
-    if SiteSetting.jwt_jwks_url
-      jwks_loader = ->(options) do
-        @cached_keys = nil if options[:invalidate] # need to reload the keys
-        if not @cached_keys
-          begin
-            jwks = JSON.parse(Net::HTTP.get(URI(SiteSetting.jwt_jwks_url)), symbolize_names: true)
-          rescue JSON::ParserError => e
-            Rails.logger.error("Cannot parse JWKS.json from #{SiteSetting.jwt_jwks_url}: #{e}")
-            jwks = nil
-          end
-          @cached_keys ||= jwks
-        end
-        @cached_keys
-      end
-    else
-      jwks_loader = nil
-    end
-
-  end
 end
 
 auth_provider authenticator: JWTAuthenticator.new