added oauth_sign_key configuration directive for OpenID Connect #171 (p…

…roycon/flat#168)
proycon · Feb 19, 2021 · a2017bf · a2017bf
1 parent c8a876f
commit a2017bf
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/bootstrap.sh b/bootstrap.sh
@@ -1436,7 +1436,8 @@ oauth_userinfo_url: \"\" #something like https://your-identity-provider/oauth/us
 oauth_revoke_url: \"\" #(optional) something like https://your-identity-provider/oauth/revoke
 oauth_scope: [] #Set this to [ \"openid\", \"email\" ] if you want to use OpenID Connect
 oauth_sign_algo: \"\" #(optional) You can set this to RS256 or HS256, for OpenID Connect
-oauth_jwks_url: \"\" #(optional) something like https://your-identity-provider/oauth/jwks , may be needed for OpenID Connect
+oauth_jwks_url: \"\" #(optional) something like https://your-identity-provider/oauth/jwks , used by OpenID Connect to obtain a signing key autoamtically (usually in combination with RS256 algorithm)
+oauth_sign_key: {} #(optional) provide a sign key manually (should be a dict that has fields like kty, use,alg,n and e), used by OpenID Connect (usually in combination with RS256 algorithm)
 " >> $STAGEDCONFIG
 if [[ $OS == "mac" ]] || [[ "$FLAVOUR" == "remote" ]]; then
     echo "lab: false #Enable Jupyter Lab environment, note that this opens the system to arbitrary code execution and file system access! (provided the below password is known)" >> $STAGEDCONFIG

diff --git a/roles/lamachine-core/defaults/main.yml b/roles/lamachine-core/defaults/main.yml
@@ -42,8 +42,10 @@ oauth_token_url: "" #something like https://your-identity-provider/oauth/token
 oauth_userinfo_url: "" #something like https://your-identity-provider/oauth/userinfo
 oauth_revoke_url: "" #(optional) something like https://your-identity-provider/oauth/revoke
 oauth_sign_algo: "" #(optional) You can set this to RS256 or HS256, for OpenID Connect
-oauth_jwks_url: "" #(optional) something like https://your-identity-provider/oauth/jwks , may be needed for OpenID Connect
+oauth_jwks_url: "" #(optional) something like https://your-identity-provider/oauth/jwks , used by OpenID Connect to obtain a signing key autoamtically (usually in combination with RS256 algorithm)
+oauth_sign_key: {} #(optional) provide a sign key manually (should be a dict that has fields like kty, use,alg,n and e), used by OpenID Connect (usually in combination with RS256 algorithm)
 oauth_scope: [] #Set this to [ "openid", "email" ] if you want to use OpenID Connect
+
 ssh_key_filename: "id_rsa"
 ssh_public_key: "" #ssh public key
 ssh_private_key: "" #ssh private key

diff --git a/roles/languagemachines-python/templates/flat_settings.py b/roles/languagemachines-python/templates/flat_settings.py
@@ -319,7 +319,8 @@
 {% if oauth_jwks_url %}
 OIDC_OP_JWKS_ENDPOINT = "{{ oauth_jwks_url }}"
 {% endif %}
-
+{% if oauth_sign_key %}
+OIDC_RD_IDP_SIGN_KEY = {{ oauth_sign_key | to_json }}
 {% else %}
 OIDC = False
 {% endif %}