search

humanitec / django-oauth-toolkit-jwt

django-oauth-toolkit extension that adds JWT support
MIT License
38 stars 26 forks source link

Make JWT algorithm configurable #12

Closed ybekdemir closed 4 years ago

ybekdemir commented 6 years ago

Purpose

Currently django-oauth-toolkit-jwt library supports only "RS256" algorithm for the encode and decode functions and it is hard-coded. To be more flexible we want to make encoding algorithm configurable and encode and decode functionas will get algorithm type from main project settings. We are using pyjwt as a core library and it supports algorithms below;

      HS256
      HS384
      HS512
      RS256
      RS384
      RS512
      ES256
      ES384
      ES521
      ES512
      PS256
      PS384

We should set 'RS256' as a default algortihm.

Acceptance Criteria

GIVEN I am a developer WHEN I have defined JWT_ALGORITHM in my project settings THEN the JWT is generated with the defined algorithm

GIVEN I am a developer WHEN I have not defined JWT_ALGORITHM in my project settings THEN the JWT is generated with 'RS256' algorithm

TM2500 commented 4 years ago

Currently I'm working on it tho make this possible.

Since the HS-Part of the Algo-definition in RFC 7519 is based on HMAC with SHA ( hence the abbrev. HS). I'm proposing a change in the settings.py-variable concerning the Signature-Settings (currently JWT_PRIVATE_KEY_RSA_<JWT_ISSUER> and JWT_PUBLIC_KEY_RSA_<JWT_ISSUER>).

At least the "encryption" relevant-part should be of the form JWT_SECRET_<JWT_ISSUER>, since it is clearer for users with HS[256, 384, 512] where to put their secret.

For the users who configured either RSA and ECDSA (the rest of the specified suite since the PS-algorithms also use a RSA key-pair) the "encrypting" private-key is also in JWT_SECRET_<JWT_ISSUER>. The public key would get the variable JWT_PUBLIC_KEY_<JWT_ISSUER> similar to the old-scheme.

Please let me know if this proposal can not be accepted.