You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently, when the security:authorization_required switch is set in the config file, the passed JSON Web Token (JWT) bearer token is base64-decoded and it's signature verified against an identity provider's (IdP) public key that is also hard-coded_ in the config file (under security:jwt:public_key). This is not a very flexible solution.
Describe the solution you'd like
A service call to an OIDC endpoint should be added that dynamically obtains a IdP's public key (otherwise keeping the current solution) via the https://[base-server-url]/jwks.json endpoint OR validates the token via the token introspection endpoint of the form https://[base-server-url]/token/introspect. The base-server-url can be obtained from a JWT by base64-decoding and extracting the iss claim.
Note that since the second solution (accessing the token introspection endpoint) may be more robust/safe, but usually requires a client secret, which right now we do not have and possibly do not want to have for every possible IdP (discussion point with ELIXIR Cloud & AAI group) this is currently not the preferred solution.
Describe alternatives you've considered
N/A
Additional context
The current handling of bearer tokens is done in wes_elixir/security/decorators.py, so this would be the entry point and likely the only file requiring modifications to implement the suggested changes.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Currently, when the
security:authorization_required
switch is set in the config file, the passed JSON Web Token (JWT) bearer token isbase64
-decoded and it's signature verified against an identity provider's (IdP) public key that is also hard-coded_ in the config file (undersecurity:jwt:public_key
). This is not a very flexible solution.Describe the solution you'd like
A service call to an OIDC endpoint should be added that dynamically obtains a IdP's public key (otherwise keeping the current solution) via the
https://[base-server-url]/jwks.json
endpoint OR validates the token via the token introspection endpoint of the formhttps://[base-server-url]/token/introspect
. Thebase-server-url
can be obtained from a JWT bybase64
-decoding and extracting theiss
claim.Note that since the second solution (accessing the
token introspection
endpoint) may be more robust/safe, but usually requires a client secret, which right now we do not have and possibly do not want to have for every possible IdP (discussion point with ELIXIR Cloud & AAI group) this is currently not the preferred solution.Describe alternatives you've considered
N/A
Additional context
The current handling of bearer tokens is done in wes_elixir/security/decorators.py, so this would be the entry point and likely the only file requiring modifications to implement the suggested changes.
The text was updated successfully, but these errors were encountered: