Skip to content

Commit

Permalink
feat: allow passing token RSA key as base64 config (#348)
Browse files Browse the repository at this point in the history
- the config is added under app.authentication.token.rsa_base64

Signed-off-by: Kush Sharma <[email protected]>
  • Loading branch information
kushsharma authored Sep 19, 2023
1 parent e46cd61 commit 0a8f7c7
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 0 deletions.
12 changes: 12 additions & 0 deletions cmd/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package cmd

import (
"context"
"encoding/base64"
"errors"
"fmt"
"io"
Expand Down Expand Up @@ -202,6 +203,17 @@ func buildAPIDependencies(
tokenKeySet = ks
}
}
if len(cfg.App.Authentication.Token.RSABase64) > 0 {
rawDecoded, err := base64.StdEncoding.DecodeString(cfg.App.Authentication.Token.RSABase64)
if err != nil {
return api.Deps{}, fmt.Errorf("failed to decode rsa key as std-base64: %w", err)
}
if ks, err := jwk.Parse(rawDecoded); err != nil {
return api.Deps{}, fmt.Errorf("failed to parse rsa key: %w", err)
} else {
tokenKeySet = ks
}
}
tokenService := token.NewService(tokenKeySet, cfg.App.Authentication.Token.Issuer,
cfg.App.Authentication.Token.Validity)
sessionService := session.NewService(logger, postgres.NewSessionRepository(logger, dbc), cfg.App.Authentication.Session.Validity)
Expand Down
2 changes: 2 additions & 0 deletions config/sample.config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ app:
# if not specified, access tokens will be disabled
# example: /opt/rsa
rsa_path: ""
# if rsa_path is not specified, rsa_base64 can be used to provide the rsa key in base64 encoded format
rsa_base64: ""
# issuer claim to be added to the jwt
iss: "http://localhost.frontier"
# validity of the token
Expand Down
2 changes: 2 additions & 0 deletions core/authenticate/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ type TokenConfig struct {
// jwt will be signed by first key, but will be tried to be decoded by all matching key ids, this helps in key rotation.
// If not provided, access token will not be generated
RSAPath string `yaml:"rsa_path" mapstructure:"rsa_path"`
// RSABase64 is base64 encoded rsa key, it can contain more than one key as a json array
RSABase64 string `yaml:"rsa_base64" mapstructure:"rsa_base64"`

// Issuer uniquely identifies the service that issued the token
// a good example could be fully qualified domain name
Expand Down
2 changes: 2 additions & 0 deletions docs/docs/reference/configurations.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ app:
# if not specified, access tokens will be disabled
# example: /opt/rsa
rsa_path: ""
# if rsa_path is not specified, rsa_base64 can be used to provide the rsa key in base64 encoded format
rsa_base64: ""
# issuer claim to be added to the jwt
iss: "http://localhost.frontier"
# validity of the token
Expand Down

0 comments on commit 0a8f7c7

Please sign in to comment.