Centralized JWT Provider (#148)

* Added jwt token verify api endpoint

* Added tests for token verify endpoint

* Added Identity Service URL env variable to workshop and community service

* Chore: Fixed response code for token verify endpoint

* Migrated to using Identity service for token verification in Community service

* Fixed community service build

* Fixed formatting issue

* Migrated to using Identity service for token verification in Workshop service

* Fixed unittests in workshop service

* Fixed response status code of jwt verify endpoint

* Removed JWT_SECRET variable from workshop and community services

* - Added private key for jwt in all deployment methods
- Modified identity service entrypoint to load private key as env variables

* Updated identity service to use user provided private key

* Replaced PEM file with JWKS.json and serving jwks.json from well-known

* Fixed public jwks.json format

* Updated Postman Collections

Co-authored-by: Roshan Piyush <[email protected]>

Author: nikhil-rajesh

deploy/docker/.keys/jwks.json

@@ -0,0 +1,19 @@
+{
+    "keys": [
+        {
+            "p": "-o_gG3DQK9540fR_-WM9dy1YgTR-WSH8FezYnH6I5jwwPB6ocni8XgkWCAiKOPYjK6nhmoTD7DBEetilFIWVj1P0G5fejp_c3H-uQQdd6JW2NBWHfWpADglIEc4NfUgjQ8cXjT1-oIJpXzpX6KOhWEP0yGNBYns7W8CNxbw58vU",
+            "kty": "RSA",
+            "q": "tW1D1JK53TIiip9uBVl6EGzXWPFwy8QXlZHbfg3TfhURUF5OYey9Ig-qxh74KvQ-uzwMZOYux0EdUe0OmV-p27huY-nusHjpxKL6xUxpqsLWrYTa6ygRHep3_A50ksN_XIn83oAjBlG4TEePzBsMQb6F4HDrEhpdPeYepKa5PNc",
+            "d": "XJu0Vh3Uq5gV5UPMCfm_j6D5INgX7VjLSN8mup4LfUBkJAk9vpQmDYF8gVzpMr3YdBk_Y7MI1BapPVg2i-s2UQR4xJYwpDOfKJactGWzruvfiTOKNIc8Q87WhLl2D4_FGI2jfyYk6itCLOOk1zfZdkjLLNiQg1SDOqC28AT-qKh99wLRKiIuewbJVW5C-0D8YjlquBU6rXdKxONYKnA1NHWfJEbPtsyJIlfUs06wjiMcXrLLc6qy98LL8t0oQcGdUTN4rICGGj-uH3k7-evJyKXC_RECmbcMu2q8GkjZ7lvaVtHh3TGGAA5TTc-7kW3MUjpCLLL06erLxCn3CcGr6Q",
+            "e": "AQAB",
+            "use": "sig",
+            "kid": "MKMZkDenUfuDF2byYowDj7tW5Ox6XG4Y1THTEGScRg8",
+            "qi": "IChXZG2VaA05LVfN-nIX03sAZo7ayetTiFKrhGpdmsODw9AoCbBIx4T4SuPnQQBYVkaCAcseyB1XAjqA4Ebm2yvE6yYo-Q8nP-wEo5Mzm18UimCffMox-uSrig1uhuK9oziV-Y11Ytps8yEQq--9BzVTCs1sXAkLVSaO58kGsm4",
+            "dp": "rl98fnxXU4BjIvJ-MWfAOfVj159ZotxE3FlVMivZSClxBBXt8qRVqze1jmerEhMxzMxQRkHJO9EnhzrIP-zrdbDefGmHqEhW41k0QutGjnvKLpshDMXpyBrrfgChYKPYbu3aVSALxNadUHmA_lUKDyxT6TUyJsBOQf9Sat8gkRU",
+            "alg": "RS256",
+            "dq": "d8mf-o-yJmj-w3ZGh0Ovw36JpREs_20GgVvfh1gLpvi0CNNrf1529jFP-SXjh0Di1m7sZAZTJn5IpJoXhI7UMN2SDWgcj-oVtx5A4tnz_qpMYh8RCCjZPF5eQE8vCuQHiIsXKbWC6p40SDELsaC-M_5emHUV0EsV-1OgMehe79s",
+            "n": "sZKrGYja9S7BkO-waOcupoGY6BQjixJkg1Uitt278NbiCSnBRw5_cmfuWFFFPgRxabBZBJwJAujnQrlgTLXnRRItM9SRO884cEXn-s4Uc8qwk6pev63qb8no6aCVY0dFpthEGtOP-3KIJ2kx2i5HNzm8d7fG3ZswZrttDVbSSTy8UjPTOr4xVw1Yyh_GzGK9i_RYBWHftDsVfKrHcgGn1F_T6W0cgcnh4KFmbyOQ7dUy8Uc6Gu8JHeHJVt2vGcn50EDtUy2YN-UnZPjCSC7vYOfd5teUR_Bf4jg8GN6UnLbr_Et8HUnz9RFBLkPIf0NiY6iRjp9ooSDkml2OGql3ww"
+        }
+    ]
+}
+

deploy/docker/docker-compose.yml

@@ -18,6 +18,8 @@ services:
     image: crapi/crapi-identity:${VERSION:-latest}
     #ports:
     #  - "127.0.0.1:8080:8080"
+    volumes:
+      - ./.keys:/.keys
     environment:
       - DB_NAME=crapi
       - DB_USER=admin
@@ -60,6 +62,7 @@ services:
     #ports:
     #  - "127.0.0.1:8087:8087"
     environment:
+      - IDENTITY_SERVICE=crapi-identity:${IDENTITY_SERVER_PORT:-8080}
       - DB_NAME=crapi
       - DB_USER=admin
       - DB_PASSWORD=crapisecretpassword
@@ -71,7 +74,6 @@ services:
       - MONGO_DB_USER=admin
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
-      - JWT_SECRET=crapi
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -96,6 +98,7 @@ services:
     #ports:
     #  - "127.0.0.1:8000:8000"
     environment:
+      - IDENTITY_SERVICE=crapi-identity:${IDENTITY_SERVER_PORT:-8080}
       - DB_NAME=crapi
       - DB_USER=admin
       - DB_PASSWORD=crapisecretpassword
@@ -107,7 +110,6 @@ services:
       - MONGO_DB_USER=admin
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
-      - JWT_SECRET=crapi
       - SECRET_KEY=crapi
     depends_on:
       postgresdb:

deploy/helm/keys/jwks.json

@@ -0,0 +1,19 @@
+{
+    "keys": [
+        {
+            "p": "-o_gG3DQK9540fR_-WM9dy1YgTR-WSH8FezYnH6I5jwwPB6ocni8XgkWCAiKOPYjK6nhmoTD7DBEetilFIWVj1P0G5fejp_c3H-uQQdd6JW2NBWHfWpADglIEc4NfUgjQ8cXjT1-oIJpXzpX6KOhWEP0yGNBYns7W8CNxbw58vU",
+            "kty": "RSA",
+            "q": "tW1D1JK53TIiip9uBVl6EGzXWPFwy8QXlZHbfg3TfhURUF5OYey9Ig-qxh74KvQ-uzwMZOYux0EdUe0OmV-p27huY-nusHjpxKL6xUxpqsLWrYTa6ygRHep3_A50ksN_XIn83oAjBlG4TEePzBsMQb6F4HDrEhpdPeYepKa5PNc",
+            "d": "XJu0Vh3Uq5gV5UPMCfm_j6D5INgX7VjLSN8mup4LfUBkJAk9vpQmDYF8gVzpMr3YdBk_Y7MI1BapPVg2i-s2UQR4xJYwpDOfKJactGWzruvfiTOKNIc8Q87WhLl2D4_FGI2jfyYk6itCLOOk1zfZdkjLLNiQg1SDOqC28AT-qKh99wLRKiIuewbJVW5C-0D8YjlquBU6rXdKxONYKnA1NHWfJEbPtsyJIlfUs06wjiMcXrLLc6qy98LL8t0oQcGdUTN4rICGGj-uH3k7-evJyKXC_RECmbcMu2q8GkjZ7lvaVtHh3TGGAA5TTc-7kW3MUjpCLLL06erLxCn3CcGr6Q",
+            "e": "AQAB",
+            "use": "sig",
+            "kid": "MKMZkDenUfuDF2byYowDj7tW5Ox6XG4Y1THTEGScRg8",
+            "qi": "IChXZG2VaA05LVfN-nIX03sAZo7ayetTiFKrhGpdmsODw9AoCbBIx4T4SuPnQQBYVkaCAcseyB1XAjqA4Ebm2yvE6yYo-Q8nP-wEo5Mzm18UimCffMox-uSrig1uhuK9oziV-Y11Ytps8yEQq--9BzVTCs1sXAkLVSaO58kGsm4",
+            "dp": "rl98fnxXU4BjIvJ-MWfAOfVj159ZotxE3FlVMivZSClxBBXt8qRVqze1jmerEhMxzMxQRkHJO9EnhzrIP-zrdbDefGmHqEhW41k0QutGjnvKLpshDMXpyBrrfgChYKPYbu3aVSALxNadUHmA_lUKDyxT6TUyJsBOQf9Sat8gkRU",
+            "alg": "RS256",
+            "dq": "d8mf-o-yJmj-w3ZGh0Ovw36JpREs_20GgVvfh1gLpvi0CNNrf1529jFP-SXjh0Di1m7sZAZTJn5IpJoXhI7UMN2SDWgcj-oVtx5A4tnz_qpMYh8RCCjZPF5eQE8vCuQHiIsXKbWC6p40SDELsaC-M_5emHUV0EsV-1OgMehe79s",
+            "n": "sZKrGYja9S7BkO-waOcupoGY6BQjixJkg1Uitt278NbiCSnBRw5_cmfuWFFFPgRxabBZBJwJAujnQrlgTLXnRRItM9SRO884cEXn-s4Uc8qwk6pev63qb8no6aCVY0dFpthEGtOP-3KIJ2kx2i5HNzm8d7fG3ZswZrttDVbSSTy8UjPTOr4xVw1Yyh_GzGK9i_RYBWHftDsVfKrHcgGn1F_T6W0cgcnh4KFmbyOQ7dUy8Uc6Gu8JHeHJVt2vGcn50EDtUy2YN-UnZPjCSC7vYOfd5teUR_Bf4jg8GN6UnLbr_Et8HUnz9RFBLkPIf0NiY6iRjp9ooSDkml2OGql3ww"
+        }
+    ]
+}
+

deploy/helm/templates/community/config.yaml

@@ -8,9 +8,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
 data:
+    IDENTITY_SERVICE: {{ .Values.identity.service.name }}:{{ .Values.identity.port }}
     DB_HOST: {{ .Values.postgresdb.service.name }}
     DB_DRIVER: {{ .Values.community.config.postgresDbDriver }}
-    JWT_SECRET: {{ .Values.jwtSecret }}
     DB_USER: {{ .Values.postgresdb.config.postgresUser }}
     DB_PASSWORD: {{ .Values.postgresdb.config.postgresPassword }}
     DB_NAME: {{ .Values.postgresdb.config.postgresDbName }}

deploy/helm/templates/identity/deployment.yaml

@@ -25,10 +25,18 @@ spec:
           args:
             - "service"
             - {{ .Values.postgresdb.service.name | quote }}
+      volumes:
+        - name: jwt-key-secret
+          secret:
+            secretName: {{ .Values.identity.jwtKeySecret.name }}
       containers:
         - name: {{ .Values.identity.name }}
           image: {{ .Values.identity.image }}:{{ .Chart.AppVersion }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
+          volumeMounts:
+            - mountPath: "/.keys"
+              name: jwt-key-secret
+              readOnly: true
           ports:
           - containerPort: {{ .Values.identity.port }}
           envFrom:

deploy/helm/templates/identity/jwt-key-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.identity.jwtKeySecret.name }}
+  labels:
+    release: {{ .Release.Name }}
+    {{- with .Values.identity.config.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+data:
+{{ (.Files.Glob .Values.identity.jwtKeySecret.file).AsSecrets | indent 2 }}

deploy/helm/templates/workshop/config.yaml

@@ -6,10 +6,10 @@ metadata:
     release: {{ .Release.Name }}
     {{- toYaml .Values.workshop.config.labels | nindent 4 }}
 data:
+    IDENTITY_SERVICE: {{ .Values.identity.service.name }}:{{ .Values.identity.port }}
     SECRET_KEY: {{ .Values.workshop.config.secretKey }}
     DB_HOST: {{ .Values.postgresdb.service.name }}
     DB_DRIVER: {{ .Values.workshop.config.postgresDbDriver }}
-    JWT_SECRET: {{ .Values.jwtSecret }}
     DB_USER: {{ .Values.postgresdb.config.postgresUser }}
     DB_PASSWORD: {{ .Values.postgresdb.config.postgresPassword }}
     DB_NAME: {{ .Values.postgresdb.config.postgresDbName }}

deploy/helm/values.yaml

@@ -48,6 +48,11 @@ identity:
     name: crapi-identity
     labels:
       app: crapi-identity
+  jwtKeySecret:
+    name: jwt-key-secret
+    file: keys/jwks.json
+    labels:
+      app: crapi-identity
   config:
     name: crapi-identity-configmap
     labels:

deploy/k8s/base/community/config.yaml

@@ -5,9 +5,9 @@ metadata:
   labels:
     app: crapi-community
 data:
+    IDENTITY_SERVICE: crapi-identity:8080
     DB_HOST: postgresdb
     DB_DRIVER: postgres
-    JWT_SECRET: crapi
     DB_USER: admin
     DB_PASSWORD: crapisecretpassword
     DB_NAME: crapi

deploy/k8s/base/deploy.sh

@@ -3,6 +3,7 @@ cd "$(dirname $0)"
 kubectl create namespace crapi
 #kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/master/deploy/local-path-storage.yaml
 
+kubectl create -n secret generic jwt-key-secret --from-file=../keys
 kubectl apply -n crapi -f ./rbac
 kubectl apply -n crapi -f ./mongodb
 kubectl apply -n crapi -f ./postgres