Updated ecommerce to support multiple signing keys

ECOM-4414

Updated ecommerce to support multiple signing keys
ECOM-4414
9f591c53 · Clinton Blackburn · d4cb4678 · 9f591c53
Commit 9f591c53 authored May 16, 2016 by Clinton Blackburn
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

playbooks/roles/ecommerce/defaults/main.yml
+7 -0

No files found.
--- a/playbooks/roles/ecommerce/defaults/main.yml
+++ b/playbooks/roles/ecommerce/defaults/main.yml
@@ -51,6 +51,12 @@ ECOMMERCE_JWT_ISSUERS:
  - '{{ ECOMMERCE_LMS_URL_ROOT }}/oauth2'
  - 'ecommerce_worker'  # Must match the value of JWT_ISSUER configured for the ecommerce worker.

+# NOTE: We have an array of keys to allow for support of multiple when, for example,
+# we change keys. This will ensure we continue to operate with JWTs issued signed with the old key
+# while migrating to the new key.
+ECOMMERCE_JWT_SECRET_KEYS:
+  - ECOMMERCE_JWT_SECRET_KEY
+
 # Used to automatically configure OAuth2 Client
 ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_KEY : 'ecommerce-key'
 ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_SECRET : 'ecommerce-secret'
@@ -141,6 +147,7 @@ ECOMMERCE_SERVICE_CONFIG:
    JWT_LEEWAY: 1
    JWT_DECODE_HANDLER: '{{ ECOMMERCE_JWT_DECODE_HANDLER }}'
    JWT_ISSUERS: '{{ ECOMMERCE_JWT_ISSUERS }}'
+    JWT_SECRET_KEYS: '{{ ECOMMERCE_JWT_SECRET_KEYS }}'
  SOCIAL_AUTH_EDX_OIDC_KEY: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_KEY }}'
  SOCIAL_AUTH_EDX_OIDC_SECRET: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_SECRET }}'
  SOCIAL_AUTH_EDX_OIDC_ID_TOKEN_DECRYPTION_KEY: '{{ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_SECRET }}'