Add python client example #156
Conversation
Demonstrates a python flask app to authenticate using keymaster and store tokens in JWT. Uses a JWT rotation strategy.
There was a problem hiding this comment.
I general: Thanks for starting this. But still needs some work. The docker dependency on the generator must be removed, the docker dependency on the app I think it should but please make your case. (I am inclined on asking the removal, but I want to hear reasoning).
examples/python/selfsign/Dockerfile
Outdated
| @@ -0,0 +1,8 @@ | |||
| FROM ubuntu:18.04 | |||
There was a problem hiding this comment.
a docker container for a self-signing is overkill. Just add the Bash script.
examples/python/selfsign/selfsign.sh
Outdated
| cd /output | ||
| DOMAIN=localhost.$WEBSITE | ||
| ANY_INTEGER=$RANDOM | ||
| openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 |
There was a problem hiding this comment.
It is my guess that you added this because of the old version of openssl on macos, so convert this line into:
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 || openssl genrsa 2048
There was a problem hiding this comment.
Can you help me get around the error I get on osx?
+ openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048
openssl:Error: 'genpkey' is an invalid command.
examples/python/app.py
Outdated
| All keyword args will be signed into a JWT with the response. | ||
| """ | ||
| resp = make_response(redirect(url)) | ||
| resp.set_cookie(jwt_cookie_key, jwt.encode( |
There was a problem hiding this comment.
Both the Cookie and the jwt token should have lifetimes. Which you should verify, for the redirection is should not be more than 300s and once authenticated the actual duration it should be the duration of the authentication request or if not possible, something in the order of hours (2-8).
Also if you plan to use the same cookie name for the redirect and the outh presence you should add a field to distinguish these two cases.
examples/python/app.py
Outdated
| jwt = get_jwt_token(request.cookies) | ||
| if 'oauth_token' in jwt: | ||
| # User is authenticated, don't do the auth dance. | ||
| client = OAuth2Session(client_id, token=jwt['oauth_token']) |
There was a problem hiding this comment.
you should store the userinfo in the jwt contents, so that you dont pay a round-trip to the oauth2 provider at every request. (this is another reason to distinguish the two cookies)
examples/python/app.py
Outdated
| # be rotated out. | ||
| for jwt_secret in jwt_secrets: | ||
| try: | ||
| return jwt.decode( |
There was a problem hiding this comment.
you need to add semantic validation... (probably here, problably somewhere else):
- Does the jwt return makes sense for this request?
- Is is still valid?
- It it valid yet?
bytesandwich
force-pushed
the
master
branch
from
f6f66ee
to
7b184d9
Compare
Demonstrates a python flask app to authenticate using keymaster
and store tokens in JWT. Uses a JWT rotation strategy.