feat: add JWT signed authentication for OAuth application API (#318)

* feat(auth): add JWT signed authentication for OAuth application API

* feat(support-api): allow AnonymousUser access only via JWT-signed OAuth authentication

Author: magajh

CHANGELOG.md

@@ -11,6 +11,11 @@ Please do not update the unreleased notes.
 
 <!-- Content should be placed here -->
 
+## [v11.3.0](https://github.com/eduNEXT/eox-core/compare/v11.2.0...v11.3.0) - (2025-03-02)
+
+### Added
+- Added signed JWT authentication for the OAuth application API to support secure authentication when creating tenant OAuth clients from Control Center.
+
 ## [v11.2.0](https://github.com/eduNEXT/eox-core/compare/v11.1.0...v11.2.0) - (2025-01-20)
 
 ### Added

eox_core/__init__.py

@@ -1,4 +1,4 @@
 """
 Init for main eox-core app
 """
-__version__ = '11.2.0'
+__version__ = '11.3.0'

eox_core/api/support/v1/authentication.py

@@ -0,0 +1,56 @@
+"""
+Custom authenticators for the Support V1 API.
+"""
+import time
+
+import jwt
+from django.conf import settings
+from django.contrib.auth.models import AnonymousUser
+from jwt import ExpiredSignatureError, InvalidTokenError
+from rest_framework import authentication
+from rest_framework.authentication import get_authorization_header
+
+
+class JWTsignedOauthAppAuthentication(authentication.BaseAuthentication):
+    """
+    Authentication class to verify JWTs signed by trusted services.
+    Allows authentication for the OauthApplicationAPIView in Open edX.
+    """
+
+    def authenticate(self, request):
+        """
+        Extracts the JWT token from the Authorization header and verifies it.
+        If authentication fails, it does NOT raise an exception to allow
+        other authentication classes to attempt authentication.
+        """
+        auth = get_authorization_header(request).split()
+
+        if not auth or auth[0].lower() != b'bearer':
+            return None
+
+        if len(auth) != 2:
+            return None
+
+        token = auth[1]
+        return self.authenticate_token(token)
+
+    def authenticate_token(self, token):
+        """
+        Attempts to authenticate the JWT token. If verification fails,
+        returns None instead of raising an exception, allowing other authentication
+        classes to handle authentication.
+        """
+        try:
+            decoded_payload = jwt.decode(
+                token,
+                settings.EOX_CORE_JWT_SIGNED_OAUTH_APP_PUBLIC_KEY,
+                algorithms=["RS256"]
+            )
+
+            if decoded_payload["exp"] < time.time():
+                return None
+
+            return (AnonymousUser(), None)
+
+        except (ExpiredSignatureError, InvalidTokenError):
+            return None

eox_core/api/support/v1/permissions.py

@@ -3,8 +3,11 @@
 """
 Custom Support API permissions module
 """
+from django.contrib.auth.models import AnonymousUser
 from rest_framework import exceptions, permissions
 
+from eox_core.api.support.v1.authentication import JWTsignedOauthAppAuthentication
+
 
 class EoxCoreSupportAPIPermission(permissions.BasePermission):
     """
@@ -14,9 +17,15 @@ class EoxCoreSupportAPIPermission(permissions.BasePermission):
 
     def has_permission(self, request, view):
         """
-        For now, to grant access only checks if the requesting user:
-            1) is_staff
+        Grants access if:
+        1) The user was authenticated via the signed JWT token (AnonymousUser but authenticated).
+        2) The user is authenticated and is a staff user.
         """
+        if isinstance(request.user, AnonymousUser):
+            auth_class_used = getattr(request.successful_authenticator, "__class__", None)
+            if auth_class_used == JWTsignedOauthAppAuthentication:
+                return True
+
         if request.user.is_staff:
             return True
 

eox_core/api/support/v1/views.py

@@ -20,6 +20,7 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from eox_core.api.support.v1.authentication import JWTsignedOauthAppAuthentication
 from eox_core.api.support.v1.permissions import EoxCoreSupportAPIPermission
 from eox_core.api.support.v1.serializers import (
     OauthApplicationSerializer,
@@ -154,7 +155,7 @@ class OauthApplicationAPIView(UserQueryMixin, APIView):
     django_oauth_toolkit Application object.
     """
 
-    authentication_classes = (BearerAuthentication, SessionAuthentication, JwtAuthentication)
+    authentication_classes = (JWTsignedOauthAppAuthentication, BearerAuthentication, SessionAuthentication, JwtAuthentication)
     permission_classes = (EoxCoreSupportAPIPermission,)
     renderer_classes = (JSONRenderer, BrowsableAPIRenderer)
 

eox_core/settings/common.py

@@ -50,6 +50,7 @@ def plugin_settings(settings):
     settings.EOX_CORE_ASYNC_TASKS = []
     settings.EOX_CORE_THIRD_PARTY_AUTH_BACKEND = 'eox_core.edxapp_wrapper.backends.third_party_auth_l_v1'
     settings.EOX_CORE_LANG_PREF_BACKEND = 'eox_core.edxapp_wrapper.backends.lang_pref_middleware_p_v1'
+    settings.EOX_CORE_JWT_SIGNED_OAUTH_APP_PUBLIC_KEY = ''
 
     if settings.EOX_CORE_USER_ENABLE_MULTI_TENANCY:
         settings.EOX_CORE_USER_ORIGIN_SITE_SOURCES = [

setup.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 11.2.0
+current_version = 11.3.0
 commit = False
 tag = False
 

setup.py

@@ -8,7 +8,6 @@
 
 from setuptools import setup
 
-
 with open("README.rst", "r") as fh:
     README = fh.read()