OIDC multiple JWK keys #463
Comments
|
To be completely honest, I'm not super familiar with this. If it works for you then it probably works, but this example was largely provided by the community and I don't have any first hand experience with it. I suspect #321 would help with this in general, but I don't have the time to work on that feature in the foreseeable future. Pull requests are always open though! |
|
Thanks, appreciate it. |
|
@roivant-matts a JWT using a key from JWKSet should provide a "kid", which the verifier can use to find the correct key in the set. Certain implementations instead try every key in the set until all of them were tried, or one validates the token. Either way, you should always make sure the key you're looking for isn't in the set (either via "kid", or sort of "brute force") before failing the verification. |
|
I am using this project in a couple apps where I was originally using more functionality with LDAP auth. I have now switched to Okta and experience issues ~every 3 months where Okta's 'kids' switch. By default I get the first, but I have config to change to a specific index of the array of 'kids' (not a mission critical apps and involves a restart). At this point I am using only the jwt_required decorators and the @jwt.user_lookup_loader to override the user lookup to get the current_user. Looking at golyalpha's comments, I believe I would need to fork the project and make some changes to the jwt verification process (e.g. loop through the kids). However, Okta also has a JWT verifier. Before I rewrite (fork or roll my own with Okta's JWT verifier), I was curious if it might be possible to drop-in Okta's verifier without forking the flast-jwt-extended project (e.g. using decorators similar to jwt.user_lookup_loader to change the jwt verification process.) https://github.com/okta/okta-jwt-verifier-python e.g. I see this function - token_verification_loader; however, it seems to be called after the default decoding - so may have another purpose from what I am thinking? |
|
Actually, I ended up just creating a barebones extension (borrowing from flask-jwt-extended) with the minimal functionality needed for oidc and using Okta's verifier (which manages the multiple kids part). Still, the project offered a great structure to make this much easier to accomplish vs totally writing from scratch. |
|
Glad you got something working, even if it required a different extension. Hopefully that can help others in the future. If anyone wants to take a stab at enhancing this to allow for keychains, I would be totally open to that, and PRs are absolutely welcome, but I probably wont have the time to work on it for the foreseeable future. Cheers! |
Due to some configuration exploration on my dev okta domain, I was getting signature validation errors that were due to multiple keys being presented at the jwks_uri endpoint. I was able to resolve by grabbing the last key rather than first, but was wondering if this is really an appropriate fix.
flask-jwt-extended/examples/oidc.py
Line 107 in d7ef40e
This example below is not my specific domain, but this gives an idea of another oidc domain with multiple keys (my key ids are not sequential):
https://login.salesforce.com/id/keys
The text was updated successfully, but these errors were encountered: