PXP-5231 feat/synapse jwks changes (#754)

* feat/synapse jwks changes
uc-cdis · Jan 29, 2020 · 3364b22 · 3364b22
1 parent 4e16fec
commit 3364b22
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 5 deletions.
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
@@ -716,5 +716,6 @@ ALLOWED_USER_SERVICE_ACCOUNT_DOMAINS:
 DREAM_CHALLENGE_TEAM: 'DREAM'
 DREAM_CHALLENGE_GROUP: 'DREAM'
 SYNAPSE_URI: 'https://repo-prod.prod.sagebase.org/auth/v1'
+SYNAPSE_JWKS_URI:
 SYNAPSE_DISCOVERY_URL:
 SYNAPSE_AUTHZ_TTL: 86400
diff --git a/fence/resources/openid/synapse_oauth2.py b/fence/resources/openid/synapse_oauth2.py
@@ -71,14 +71,24 @@ def get_auth_url(self):
         return uri
 
     def load_key(self, jwks_endpoint):
-        """A custom method to load a Synapse "RS256" key.
+        """
+        A custom method to load a Synapse "RS256" key.
 
         Synapse is not providing standard JWK keys:
         * kty is RS256 not RSA
         * e and n are not base64-encoded
+
+        Synapse is updating their JWKS document to align it with conventions,
+        so above logic could be abandoned in the future.
         """
         for key in self.get_jwt_keys(jwks_endpoint):
-            if key["kty"] == "RS256":
+            # For new Synapse JWKS doc, which is modified with conventions
+            if key["kty"] == "RSA":
+                return "RS256", RSAAlgorithm.from_jwk(json.dumps(key))
+            # For old Synapse JWKS odc, kept for backward compability
+            # TODO: remove after tested with new Synapse JWKS doc
+            # and Synapse has deployed their changes
+            elif key["kty"] == "RS256":
                 key["kty"] = "RSA"
                 for field in ["e", "n"]:
                     if key[field].isdigit():
@@ -92,9 +102,16 @@ def get_user_id(self, code):
             token_endpoint = self.get_value_from_discovery_doc(
                 "token_endpoint", config["SYNAPSE_URI"] + "/oauth2/token"
             )
-            jwks_endpoint = self.get_value_from_discovery_doc(
-                "jwks_uri", config["SYNAPSE_URI"] + "/oauth2/jwks"
-            )
+            # For testing new Synapse JWKS doc (if pinned to new JWKS doc)
+            # or avoid downtime (if pinned to old JWKS doc)
+            # TODO: can be removed after tested with new Synapse JWKS doc
+            # and Synapse has deployed their changes
+            if config["SYNAPSE_JWKS_URI"]:
+                jwks_endpoint = config["SYNAPSE_JWKS_URI"]
+            else:
+                jwks_endpoint = self.get_value_from_discovery_doc(
+                    "jwks_uri", config["SYNAPSE_URI"] + "/oauth2/jwks"
+                )
             token = self.get_token(token_endpoint, code)
             algorithm, key = self.load_key(jwks_endpoint)
             if not key: