[BB-550] Add generation of asymmetric JWT keys (!366) · Merge requests · opencraft / dev / console

Giovanni Cimolin da Silva requested to merge giovanni/add-jwt-signing-keys into master Nov 23, 2018

This PR adds the automatic generation of asymmetric JWT keys when deploying appservers.

It working by creating and storing a RSA key for each instance and generating public and private JWK sets for each AppServer by setting the following Ansible variables: COMMON_JWT_PUBLIC_SIGNING_JWK_SET and EDXAPP_JWT_PRIVATE_SIGNING_JWK.

This is needed because EdX recently switched from HMAC signed JWT keys to asymmetrically encrypted JWT keys.

Dependencies: ~~https://github.com/edx/configuration/pull/4871 [Already merged].~~

Sandbox URL: TBD - This PR will be deployed for testing on Ocim stage.

Merge deadline: Sprint 182.

Testing instructions:

Set up the Ocim devstack with this branch.
Deploy an instance with this configuration:

configuration_source_repo_url   https://github.com/edx/configuration
configuration_version                 master
edx_platform_repository_url       https://github.com/edx/edx-platform
edx_platform_commit                 release
openedx_release                       master

Create a new AppServer and check on it's configurations if COMMON_JWT_PUBLIC_SIGNING_JWK_SET and EDXAPP_JWT_PRIVATE_SIGNING_JWK are set.
Wait for the end of the provisioning and try to log in the LMS, if the configuration worked correctly, you should be able to login.

Author notes and concerns:

This PR includes a migration for storing the RSA key used to generate the JWT keys, because the keys for each AppServer must be compatible in order to preserve interoperability between them.
I've stored the RSA private key but I'm unsure that is the best option for this case.

Reviewers

@lgp171188

[BB-550] Add generation of asymmetric JWT keys

Merge request reports