Merge pull request #4706 from edx/arch/asymmetric-jwts

Support for Asymmetric JWT Keys

playbooks/roles/common_vars/defaults/main.yml

@@ -220,9 +220,20 @@ COMMON_OAUTH_LOGOUT_URL: '{{ COMMON_OAUTH_BASE_URL }}/logout'
 
 COMMON_OIDC_ISSUER: '{{ COMMON_OAUTH_URL_ROOT }}'
 
+############
+# Settings related to JSON Web Tokens (JWTs).
+# See https://github.com/edx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0003-use-jwt-as-oauth-tokens-remove-openid-connect.rst
 COMMON_JWT_AUDIENCE: 'SET-ME-PLEASE'
 COMMON_JWT_ISSUER: '{{ COMMON_OIDC_ISSUER }}'
+
+# The following should be the string representation of a JSON Web Key Set (JWK set)
+# containing active public keys for signing JWTs.
+# See https://github.com/edx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0008-use-asymmetric-jwts.rst
+COMMON_JWT_PUBLIC_SIGNING_JWK_SET: !!null
+
+# To be deprecated, in favor of the above COMMON_JWT_PUBLIC_SIGNING_JWK_SET.
 COMMON_JWT_SECRET_KEY: 'SET-ME-PLEASE'
+############
 
 # Set worker user default
 CREATE_SERVICE_WORKER_USERS: True

playbooks/roles/edx_django_service/defaults/main.yml

@@ -154,6 +154,7 @@ edx_django_service_jwt_auth:
     - AUDIENCE: '{{ edx_django_service_jwt_audience }}'
       ISSUER: '{{ edx_django_service_jwt_issuer }}'
       SECRET_KEY: '{{ edx_django_service_jwt_secret_key }}'
+  JWT_PUBLIC_SIGNING_JWK_SET: '{{ COMMON_JWT_PUBLIC_SIGNING_JWK_SET }}'
 
 edx_django_service_extra_apps: []
 

playbooks/roles/edxapp/defaults/main.yml

@@ -359,10 +359,16 @@ EDXAPP_UNIVERSITY_EMAIL: 'university@example.com'
 EDXAPP_PRESS_EMAIL: 'press@example.com'
 EDXAPP_LMS_ROOT_URL: "{{ EDXAPP_LMS_BASE_SCHEME | default('https') }}://{{ EDXAPP_LMS_BASE }}"
 EDXAPP_LMS_INTERNAL_ROOT_URL: "{{ EDXAPP_LMS_ROOT_URL }}"
+
 EDXAPP_LMS_ISSUER: "{{ COMMON_JWT_ISSUER }}"
 EDXAPP_JWT_EXPIRATION: 30  # Number of seconds until expiration
 EDXAPP_JWT_AUDIENCE: "{{ COMMON_JWT_AUDIENCE }}"
 EDXAPP_JWT_SECRET_KEY: "{{ COMMON_JWT_SECRET_KEY }}"
+EDXAPP_JWT_PUBLIC_SIGNING_JWK_SET: "{{ COMMON_JWT_PUBLIC_SIGNING_JWK_SET }}"
+
+# See https://github.com/edx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0008-use-asymmetric-jwts.rst
+EDXAPP_JWT_SIGNING_ALGORITHM: !!null
+EDXAPP_JWT_PRIVATE_SIGNING_JWK: !!null
 
 EDXAPP_PLATFORM_TWITTER_ACCOUNT: '@YourPlatformTwitterAccount'
 EDXAPP_PLATFORM_FACEBOOK_ACCOUNT: 'http://www.facebook.com/YourPlatformFacebookAccount'
@@ -1173,13 +1179,8 @@ generic_env_config:  &edxapp_generic_env
   LOG_DIR:  "{{ edxapp_log_dir }}"
   DATA_DIR: "{{ edxapp_data_dir }}"
   JWT_ISSUER: "{{ EDXAPP_LMS_ISSUER }}"
-  DEFAULT_JWT_ISSUER:
-    ISSUER: "{{ EDXAPP_LMS_ISSUER }}"
-    AUDIENCE: "{{ EDXAPP_JWT_AUDIENCE }}"
-    SECRET_KEY: "{{ EDXAPP_JWT_SECRET_KEY }}"
   JWT_EXPIRATION: '{{ EDXAPP_JWT_EXPIRATION }}'
   JWT_PRIVATE_SIGNING_KEY: !!null
-  JWT_EXPIRED_PRIVATE_SIGNING_KEYS: []
   JWT_AUTH:
     JWT_ISSUER: "{{ EDXAPP_LMS_ISSUER }}"
     JWT_AUDIENCE: "{{ EDXAPP_JWT_AUDIENCE }}"
@@ -1188,6 +1189,9 @@ generic_env_config:  &edxapp_generic_env
       - ISSUER: "{{ EDXAPP_LMS_ISSUER }}"
         AUDIENCE: "{{ EDXAPP_JWT_AUDIENCE }}"
         SECRET_KEY: "{{ EDXAPP_JWT_SECRET_KEY }}"
+    JWT_PUBLIC_SIGNING_JWK_SET: "{{ EDXAPP_JWT_PUBLIC_SIGNING_JWK_SET }}"
+    JWT_SIGNING_ALGORITHM: "{{ EDXAPP_JWT_SIGNING_ALGORITHM }}"
+    JWT_PRIVATE_SIGNING_JWK: "{{ EDXAPP_JWT_PRIVATE_SIGNING_JWK }}"
 
   #must end in slash (https://docs.djangoproject.com/en/1.4/ref/settings/#media-url)
   MEDIA_URL:  "{{ EDXAPP_MEDIA_URL }}/"