-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add python client example #156
base: master
Are you sure you want to change the base?
Conversation
Demonstrates a python flask app to authenticate using keymaster and store tokens in JWT. Uses a JWT rotation strategy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I general: Thanks for starting this. But still needs some work. The docker dependency on the generator must be removed, the docker dependency on the app I think it should but please make your case. (I am inclined on asking the removal, but I want to hear reasoning).
examples/python/selfsign/Dockerfile
Outdated
@@ -0,0 +1,8 @@ | |||
FROM ubuntu:18.04 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a docker container for a self-signing is overkill. Just add the Bash script.
examples/python/selfsign/selfsign.sh
Outdated
cd /output | ||
DOMAIN=localhost.$WEBSITE | ||
ANY_INTEGER=$RANDOM | ||
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is my guess that you added this because of the old version of openssl on macos, so convert this line into:
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 || openssl genrsa 2048
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you help me get around the error I get on osx?
+ openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
openssl:Error: 'genpkey' is an invalid command.
examples/python/app.py
Outdated
All keyword args will be signed into a JWT with the response. | ||
""" | ||
resp = make_response(redirect(url)) | ||
resp.set_cookie(jwt_cookie_key, jwt.encode( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both the Cookie and the jwt token should have lifetimes. Which you should verify, for the redirection is should not be more than 300s and once authenticated the actual duration it should be the duration of the authentication request or if not possible, something in the order of hours (2-8).
Also if you plan to use the same cookie name for the redirect and the outh presence you should add a field to distinguish these two cases.
examples/python/app.py
Outdated
jwt = get_jwt_token(request.cookies) | ||
if 'oauth_token' in jwt: | ||
# User is authenticated, don't do the auth dance. | ||
client = OAuth2Session(client_id, token=jwt['oauth_token']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should store the userinfo in the jwt contents, so that you dont pay a round-trip to the oauth2 provider at every request. (this is another reason to distinguish the two cookies)
examples/python/app.py
Outdated
# be rotated out. | ||
for jwt_secret in jwt_secrets: | ||
try: | ||
return jwt.decode( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you need to add semantic validation... (probably here, problably somewhere else):
- Does the jwt return makes sense for this request?
- Is is still valid?
- It it valid yet?
f6f66ee
to
7b184d9
Compare
Demonstrates a python flask app to authenticate using keymaster
and store tokens in JWT. Uses a JWT rotation strategy.