Introduce a new endpoint, /jwks, which returns a JSON Web Key Set (JWKS).
This set of public crypto keys will be used by external parties to encrypt
data intended for our backend. In the context of the resource server, this key
will be used by the authorization server to encrypt the introspection response.
The current implementation exposes a single public key, with the private key
configurable in the app settings. The private key is represented as a string.
For enhanced security, we might prefer to store this data in a .pem file
excluded from version control.
A few parameters for this key, such as its type and encoding, are configurable
in the settings.
A critique of the current design is its lack of extensibility.
If we decide to offer more than one encryption method, this view will require
refactoring.
Additionally, the current implementation is tightly coupled with joserfc.
This lays the foundation for further improvements.
Please note, this endpoint only public components of the key, there is no
chance for any secret leaking.
When we run e2e tests with the CI, we are doing lot of
calls to the backend in a short amount of time. This can
lead to a rate limit particulary on the "user/me" endpoint.
To avoid this, we will use different backend settings
for the e2e tests.
Integrate 'mozilla-django-oidc' dependency, to support
Authorization Code flow, which is required by Agent Connect.
Thus, we provide a secure back channel OIDC flow, and return
to the client only a session cookie.
Done:
- Replace JWT authentication by Session based authentication in DRF
- Update Django settings to make OIDC configurations easily editable
- Add 'mozilla-django-oidc' routes to our router
- Implement a custom Django Authentication class to adapt
'mozilla-django-oidc' to our needs
'mozilla-django-oidc' routes added are:
- /authenticate
- /callback (the redirect_uri called back by the Idp)
- /logout
Keycloak is a open source identity and access management
for modern applications and services.
- add keycloak server in docker-compose
- add keycloak in frontend
Used https://github.com/openfun/joanie as boilerplate, ran a few
transformations with ChapGPT and adapted models and endpoints to
fit to my current vision of the project.
