AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.5k
stars
3.34k
forks
source link
Add PS256 and EdDSA signature algorithms to AWX when using OIDC #15127
[X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
Feature type
New Feature
Feature Summary
Logging in using OIDC is successful when RS256 is set on the IDP (keycloak in my case), but unsuccessful when PS256 or EdDSA is set.
"Use EdDSA where possible and use ECDSA when it is not. If you are forced to use RSA, prefer RSASSA-PSS [PS256] over RSASSA-PKCS1-v1_5 [RS256]" (quoted from “JWTs: Which Signing Algorithm Should I Use?”).
Select the relevant components
[ ] UI
[ ] API
[ ] Docs
[ ] Collection
[ ] CLI
[X] Other
Steps to reproduce
Set PS256 or EdDSA as the signature algorithm on the IDP side such as keycloak
configure OIDC settings on AWX pointing to that IDP
login with OIDC
Current results
Login is unsuccessful
Sugested feature result
stronger security
Additional information
OpenBanking has already made the transition to PS256 since 03/2019
Australian infosec has a requirement for PS256 since 2019
Please confirm the following
Feature type
New Feature
Feature Summary
Logging in using OIDC is successful when RS256 is set on the IDP (keycloak in my case), but unsuccessful when PS256 or EdDSA is set.
"Use EdDSA where possible and use ECDSA when it is not. If you are forced to use RSA, prefer RSASSA-PSS [PS256] over RSASSA-PKCS1-v1_5 [RS256]" (quoted from “JWTs: Which Signing Algorithm Should I Use?”).
Select the relevant components
Steps to reproduce
Current results
Login is unsuccessful
Sugested feature result
stronger security
Additional information