[BB-550] Add generation of asymmetric JWT keys
This PR adds the automatic generation of asymmetric JWT keys when deploying appservers.
It working by creating and storing a RSA key for each instance and generating public and private JWK sets for each AppServer by setting the following Ansible variables: COMMON_JWT_PUBLIC_SIGNING_JWK_SET
and EDXAPP_JWT_PRIVATE_SIGNING_JWK
.
This is needed because EdX recently switched from HMAC signed JWT keys to asymmetrically encrypted JWT keys.
Dependencies: https://github.com/edx/configuration/pull/4871 [Already merged].
Sandbox URL: TBD - This PR will be deployed for testing on Ocim stage.
Merge deadline: Sprint 182.
Testing instructions:
- Set up the Ocim devstack with this branch.
- Deploy an instance with this configuration:
configuration_source_repo_url https://github.com/edx/configuration
configuration_version master
edx_platform_repository_url https://github.com/edx/edx-platform
edx_platform_commit release
openedx_release master
- Create a new AppServer and check on it's configurations if
COMMON_JWT_PUBLIC_SIGNING_JWK_SET
andEDXAPP_JWT_PRIVATE_SIGNING_JWK
are set. - Wait for the end of the provisioning and try to log in the LMS, if the configuration worked correctly, you should be able to login.
Author notes and concerns:
- This PR includes a migration for storing the RSA key used to generate the JWT keys, because the keys for each AppServer must be compatible in order to preserve interoperability between them.
- I've stored the RSA private key but I'm unsure that is the best option for this case.
Reviewers
-
@lgp171188