JWT token only #73
JWT token only #73
Conversation
…e public key optional but with warning
There was a problem hiding this comment.
Nice clean up of the bar. I've tested running bartender on my local machine and through docker-compose. It all seems to work nicely. Some of the explanations were a bit unclear to me. I'll continue to review i-VRESSE/haddock3-webapp#47.
docs/configuration.md
Outdated
| The private key of the RSA key pair is used to generate a token in | ||
| an another web application or with the `bartender generate-token` command. | ||
|
|
||
| The public key of the RSA key pair is used to verify that the token comes | ||
| from a trusted source. | ||
| The public key file location is `public_key.pem` | ||
| or value of `BARTENDER_PUBLIC_KEY` environment variable. |
There was a problem hiding this comment.
In this description, who is the owner of the keypair? Is it the bartender or the consumer?
There was a problem hiding this comment.
If my understanding is correct, in this case, the "sender" should be the owner of the keypair. The sender uses their private key to create a token and the "recipient" uses the senders' public key to verify that it could only have been the sender (i.e. the only one knowing their private key) to have generated the token. Correct?
So does that mean that bartender could potentially store multiple public keys for various senders?
There was a problem hiding this comment.
Create #75 for multiple public keys. Will implement when we have a concrete use case.
There was a problem hiding this comment.
If my understanding is correct, in this case, the "sender" should be the owner of the keypair. The sender uses their private key to create a token and the "recipient" uses the senders' public key to verify that it could only have been the sender (i.e. the only one knowing their private key) to have generated the token. Correct?
Yep, correct. That is how https://en.wikipedia.org/wiki/Digital_signature works. The signer owns the private key and gives a public key to the verifier.
So does that mean that bartender could potentially store multiple public keys for various senders?
| egi_redirect_url: Optional[str] = None | ||
| egi_environment: Literal["production", "development", "demo"] = "production" | ||
| # RSA public key used to verify JWT tokens | ||
| public_key: Path = Path("public_key.pem") |
There was a problem hiding this comment.
How does that work when the issuer is not bartender itself?
There was a problem hiding this comment.
In i-VRESSE/haddock3-webapp@441c87d changed issuer to haddock3 webapp as it is the one generating and signing the token with its private key.
There was a problem hiding this comment.
Bartender does not care who is the issuer is. Only that the signature in the token can be verified with its public key. The public key is generated from a private key so there is a pairing up of signer (with private key ) and verifier.
| Create config file `config.yaml` as described at [configuration.md](configuration.md). | ||
| The `job_root_dir` property should be set to `/tmp/jobs` | ||
| which is a Docker compose volume. |
There was a problem hiding this comment.
At first I couldn't find that setting on the linked page. It would be helpful if the job_root_dir section on that page was closer to this header. Perhaps just right above "applications"
docs/deploy.md
Outdated
| To use `bartender generate-token` command inside container you need make | ||
| the private key available in the container. |
There was a problem hiding this comment.
Perhaps add an instruction on how to do that (make private key available to container)?
docs/deploy.md
Outdated
| To use `bartender generate-token` command inside container you need make | ||
| the private key available in the container. |
| Create config file `config.yaml` as described at [configuration.md](configuration.md). | ||
| The `job_root_dir` property should be set to `/tmp/jobs` | ||
| which is a Docker compose volume. |
Replaces the storing of user in db and social logins with asymmetric JWT token.
Fixes #54
Fixes #58
Fixes #57
Fixes #25
Fixes #51
TODO
dont alter existing alembic versions, but add new onefastapi_users_db_sqlalchemy.genericswas imported, so we needed to change version anyway as we dont have that dep anymore.Should be merged together with i-VRESSE/haddock3-webapp#47