Set issuer for IDAs that use OpenID Connect

This should have been set prior to https://github.com/edx/auth-backends/pull/9 being merged. We did not catch this problem until now because the library currently used for JWT validation, pyjwt, simply skips issuer validation if the issuer is set to None. LEARNER-693

Set issuer for IDAs that use OpenID Connect
This should have been set prior to https://github.com/edx/auth-backends/pull/9 being merged. We did not catch this problem until now because the library currently used for JWT validation, pyjwt, simply skips issuer validation if the issuer is set to None. LEARNER-693
2656eb9f · Clinton Blackburn · Clinton Blackburn · a3b27e91 · 2656eb9f · 2656eb9f
Commit 2656eb9f authored Apr 26, 2017 by Clinton Blackburn Committed by Clinton Blackburn Apr 26, 2017
Showing with 13 additions and 3 deletions

playbooks/roles/credentials/defaults/main.yml
+2 -0

playbooks/roles/discovery/defaults/main.yml
+2 -0

playbooks/roles/ecommerce/defaults/main.yml
+8 -3

playbooks/roles/insights/defaults/main.yml
+1 -0

No files found.
--- a/playbooks/roles/credentials/defaults/main.yml
+++ b/playbooks/roles/credentials/defaults/main.yml
@@ -62,6 +62,7 @@ CREDENTIALS_LANGUAGE_CODE: 'en_US.UTF-8'
 CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_KEY: 'SET-ME-TO-A-UNIQUE-LONG-RANDOM-STRING'
 CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_SECRET: 'SET-ME-TO-A-UNIQUE-LONG-RANDOM-STRING'
 CREDENTIALS_SOCIAL_AUTH_REDIRECT_IS_HTTPS: false
+CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ CREDENTIALS_OAUTH_URL_ROOT }}'

 CREDENTIALS_SERVICE_USER: 'credentials_service_user'

@@ -168,6 +169,7 @@ CREDENTIALS_SERVICE_CONFIG:
  SOCIAL_AUTH_EDX_OIDC_URL_ROOT: '{{ CREDENTIALS_OAUTH_URL_ROOT }}'
  SOCIAL_AUTH_REDIRECT_IS_HTTPS: '{{ CREDENTIALS_SOCIAL_AUTH_REDIRECT_IS_HTTPS }}'
  SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL: '{{ CREDENTIALS_OIDC_LOGOUT_URL }}'
+  SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_ISSUER }}'

  EXTRA_APPS: '{{ CREDENTIALS_EXTRA_APPS }}'


--- a/playbooks/roles/discovery/defaults/main.yml
+++ b/playbooks/roles/discovery/defaults/main.yml
@@ -81,6 +81,7 @@ DISCOVERY_DEFAULT_PARTNER_ID: 1
 DISCOVERY_SOCIAL_AUTH_EDX_OIDC_KEY : 'discovery-key'
 DISCOVERY_SOCIAL_AUTH_EDX_OIDC_SECRET : 'discovery-secret'
 DISCOVERY_SOCIAL_AUTH_REDIRECT_IS_HTTPS: false
+DISCOVERY_SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ DISCOVERY_OAUTH_URL_ROOT }}'

 DISCOVERY_PLATFORM_NAME: 'Your Platform Name Here'

@@ -134,6 +135,7 @@ DISCOVERY_SERVICE_CONFIG:
  SOCIAL_AUTH_EDX_OIDC_URL_ROOT: '{{ DISCOVERY_OAUTH_URL_ROOT }}'
  SOCIAL_AUTH_REDIRECT_IS_HTTPS: '{{ DISCOVERY_SOCIAL_AUTH_REDIRECT_IS_HTTPS }}'
  SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL: '{{ DISCOVERY_OIDC_LOGOUT_URL }}'
+  SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ DISCOVERY_SOCIAL_AUTH_EDX_OIDC_ISSUER }}'

  STATIC_ROOT: "{{ COMMON_DATA_DIR }}/{{ discovery_service_name }}/staticfiles"
  # db config

--- a/playbooks/roles/ecommerce/defaults/main.yml
+++ b/playbooks/roles/ecommerce/defaults/main.yml
@@ -41,6 +41,9 @@ ECOMMERCE_DATABASES:
 ECOMMERCE_VERSION: "master"
 ECOMMERCE_DJANGO_SETTINGS_MODULE: "ecommerce.settings.production"

+ECOMMERCE_OAUTH_URL_ROOT: '{{ EDXAPP_LMS_ROOT_URL | default("http://127.0.0.1:8000") }}/oauth2'
+ECOMMERCE_OIDC_LOGOUT_URL: '{{ EDXAPP_LMS_ROOT_URL | default("http://127.0.0.1:8000") }}/logout'
+
 ECOMMERCE_SESSION_EXPIRE_AT_BROWSER_CLOSE: false
 ECOMMERCE_SECRET_KEY: 'Your secret key here'
 ECOMMERCE_TIME_ZONE: 'UTC'
@@ -54,7 +57,7 @@ ECOMMERCE_JWT_ALGORITHM: 'HS256'
 ECOMMERCE_JWT_VERIFY_EXPIRATION: true
 ECOMMERCE_JWT_DECODE_HANDLER: 'ecommerce.extensions.api.handlers.jwt_decode_handler'
 ECOMMERCE_JWT_ISSUERS:
-  - '{{ ECOMMERCE_LMS_URL_ROOT }}/oauth2'
+  - '{{ ECOMMERCE_OAUTH_URL_ROOT }}'
  - 'ecommerce_worker'  # Must match the value of JWT_ISSUER configured for the ecommerce worker.
 ECOMMERCE_JWT_LEEWAY: 1
 # NOTE: We have an array of keys to allow for support of multiple when, for example,
@@ -67,6 +70,7 @@ ECOMMERCE_JWT_SECRET_KEYS:
 ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_KEY : 'ecommerce-key'
 ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_SECRET : 'ecommerce-secret'
 ECOMMERCE_SOCIAL_AUTH_REDIRECT_IS_HTTPS: false
+ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ ECOMMERCE_OAUTH_URL_ROOT }}'

 # Settings for affiliate cookie tracking
 ECOMMERCE_AFFILIATE_COOKIE_NAME: '{{ EDXAPP_AFFILIATE_COOKIE_NAME | default("dev_affiliate_id") }}'
@@ -162,9 +166,10 @@ ECOMMERCE_SERVICE_CONFIG:
  SOCIAL_AUTH_EDX_OIDC_KEY: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_KEY }}'
  SOCIAL_AUTH_EDX_OIDC_SECRET: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_SECRET }}'
  SOCIAL_AUTH_EDX_OIDC_ID_TOKEN_DECRYPTION_KEY: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_SECRET }}'
-  SOCIAL_AUTH_EDX_OIDC_URL_ROOT: '{{ ECOMMERCE_LMS_URL_ROOT }}/oauth2'
-  SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL: '{{ ECOMMERCE_LMS_URL_ROOT }}/logout'
+  SOCIAL_AUTH_EDX_OIDC_URL_ROOT: '{{ ECOMMERCE_OAUTH_URL_ROOT }}'
+  SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL: '{{ ECOMMERCE_OIDC_LOGOUT_URL }}'
  SOCIAL_AUTH_REDIRECT_IS_HTTPS: '{{ ECOMMERCE_SOCIAL_AUTH_REDIRECT_IS_HTTPS }}'
+  SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_ISSUER }}'
  AFFILIATE_COOKIE_KEY: '{{ ECOMMERCE_AFFILIATE_COOKIE_NAME }}'

  STATIC_ROOT: "{{ COMMON_DATA_DIR }}/{{ ecommerce_service_name }}/staticfiles"

--- a/playbooks/roles/insights/defaults/main.yml
+++ b/playbooks/roles/insights/defaults/main.yml
@@ -101,6 +101,7 @@ INSIGHTS_CONFIG:
  SOCIAL_AUTH_EDX_OIDC_KEY: '{{ INSIGHTS_OAUTH2_KEY }}'
  SOCIAL_AUTH_EDX_OIDC_SECRET: '{{ INSIGHTS_OAUTH2_SECRET }}'
  SOCIAL_AUTH_EDX_OIDC_URL_ROOT: '{{ INSIGHTS_OAUTH2_URL_ROOT }}'
+  SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ INSIGHTS_OAUTH2_URL_ROOT }}'
  SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL: '{{ INSIGHTS_OIDC_LOGOUT_URL }}'
  # This value should be the same as SOCIAL_AUTH_EDX_OIDC_SECRET
  SOCIAL_AUTH_EDX_OIDC_ID_TOKEN_DECRYPTION_KEY: '{{ INSIGHTS_OAUTH2_SECRET }}'