From a2017bfbc35675ba65cb2efd6de128bc3a80e030 Mon Sep 17 00:00:00 2001 From: Maarten van Gompel Date: Fri, 19 Feb 2021 14:24:36 +0100 Subject: [PATCH] added oauth_sign_key configuration directive for OpenID Connect #171 (proycon/flat#168) --- bootstrap.sh | 3 ++- roles/lamachine-core/defaults/main.yml | 4 +++- roles/languagemachines-python/templates/flat_settings.py | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/bootstrap.sh b/bootstrap.sh index 1450b973..32353fd6 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -1436,7 +1436,8 @@ oauth_userinfo_url: \"\" #something like https://your-identity-provider/oauth/us oauth_revoke_url: \"\" #(optional) something like https://your-identity-provider/oauth/revoke oauth_scope: [] #Set this to [ \"openid\", \"email\" ] if you want to use OpenID Connect oauth_sign_algo: \"\" #(optional) You can set this to RS256 or HS256, for OpenID Connect -oauth_jwks_url: \"\" #(optional) something like https://your-identity-provider/oauth/jwks , may be needed for OpenID Connect +oauth_jwks_url: \"\" #(optional) something like https://your-identity-provider/oauth/jwks , used by OpenID Connect to obtain a signing key autoamtically (usually in combination with RS256 algorithm) +oauth_sign_key: {} #(optional) provide a sign key manually (should be a dict that has fields like kty, use,alg,n and e), used by OpenID Connect (usually in combination with RS256 algorithm) " >> $STAGEDCONFIG if [[ $OS == "mac" ]] || [[ "$FLAVOUR" == "remote" ]]; then echo "lab: false #Enable Jupyter Lab environment, note that this opens the system to arbitrary code execution and file system access! (provided the below password is known)" >> $STAGEDCONFIG diff --git a/roles/lamachine-core/defaults/main.yml b/roles/lamachine-core/defaults/main.yml index 10f4af49..33676bbf 100644 --- a/roles/lamachine-core/defaults/main.yml +++ b/roles/lamachine-core/defaults/main.yml @@ -42,8 +42,10 @@ oauth_token_url: "" #something like https://your-identity-provider/oauth/token oauth_userinfo_url: "" #something like https://your-identity-provider/oauth/userinfo oauth_revoke_url: "" #(optional) something like https://your-identity-provider/oauth/revoke oauth_sign_algo: "" #(optional) You can set this to RS256 or HS256, for OpenID Connect -oauth_jwks_url: "" #(optional) something like https://your-identity-provider/oauth/jwks , may be needed for OpenID Connect +oauth_jwks_url: "" #(optional) something like https://your-identity-provider/oauth/jwks , used by OpenID Connect to obtain a signing key autoamtically (usually in combination with RS256 algorithm) +oauth_sign_key: {} #(optional) provide a sign key manually (should be a dict that has fields like kty, use,alg,n and e), used by OpenID Connect (usually in combination with RS256 algorithm) oauth_scope: [] #Set this to [ "openid", "email" ] if you want to use OpenID Connect + ssh_key_filename: "id_rsa" ssh_public_key: "" #ssh public key ssh_private_key: "" #ssh private key diff --git a/roles/languagemachines-python/templates/flat_settings.py b/roles/languagemachines-python/templates/flat_settings.py index c4e9aeee..60449309 100644 --- a/roles/languagemachines-python/templates/flat_settings.py +++ b/roles/languagemachines-python/templates/flat_settings.py @@ -319,7 +319,8 @@ {% if oauth_jwks_url %} OIDC_OP_JWKS_ENDPOINT = "{{ oauth_jwks_url }}" {% endif %} - +{% if oauth_sign_key %} +OIDC_RD_IDP_SIGN_KEY = {{ oauth_sign_key | to_json }} {% else %} OIDC = False {% endif %}