Problem/Motivation

Every user should be able to have one or more RSA keys. By using RSA we can allow the user to generate the key locally and save the public key in Drupal or allow Drupal to generate and present the private key for download and save only the public key in the database. This alleviates the need for secure storage of symmetric secrets.

see
https://github.com/gabesullice/jwt/issues/27

Proposed resolution

Add a sub-module that supports creating and storing one or more RSA keys per user.

Remaining tasks

Make it so the auth steps checks the key ID and user id - the JWT code makes this a little tricky.

User interface changes

Possibly add one or more tabs by the user profile

CommentFileSizeAuthor
#19 3013156-19.patch53.03 KBpwolanin
#18 3013156-16.patch53.27 KBpwolanin
#15 3013156-15.patch53.27 KBpwolanin
#13 3013156-13.patch50.94 KBpwolanin
#12 3013156-12.patch46.96 KBpwolanin
#11 3013156-11.patch42.62 KBpwolanin
#10 3013156-10.patch38.93 KBpwolanin
#9 3013156-9.patch28.77 KBpwolanin
#8 3013156-8.patch23.44 KBpwolanin
#7 3013156-7.patch21.57 KBpwolanin
#6 3013156-6.patch11.79 KBpwolanin
#2 3013156-2.patch8.75 KBpwolanin

Comments

pwolanin created an issue. See original summary.

pwolanin’s picture

pwolanin commented
Status: Active » Needs work
StatusFileSize
new 3013156-2.patch8.75 KB

Just dumping in here what I had started on - not sure how much is working.

pwolanin’s picture

pwolanin commented

This could also be a separate project, but not sure which makes more sense?

pwolanin’s picture

pwolanin commented
Title: Create a submodule to handle per-user RSA keys » Create a submodule to handle per-user RSA / elliptic curve keys

ed25519 is an emerging elliptic curve standard that could be a good choice to support, though it's not in the standard.

However, only the NIST curves are supported in the official JWT standard:
https://tools.ietf.org/html/rfc7518#section-3

pwolanin’s picture

pwolanin commented

This other JWT library supports it, but let's try just RSA for now and possibly make a PR on the firebase library to add support.
https://github.com/web-token/jwt-signature-algorithm-eddsa

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-6.patch11.79 KB

Here's some more progress, switch to trying to use the user data service for storing keys.

pwolanin’s picture

pwolanin commented
Version: 8.x-0.x-dev » 8.x-1.x-dev
StatusFileSize
new 3013156-7.patch21.57 KB

More progress. Starting on Kernel test.

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-8.patch23.44 KB

using new fallback header name per #3032702: Fallback header for use when basic authorization header is also sent

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-9.patch28.77 KB

With more added test cases in Kernel test

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-10.patch38.93 KB

WIP for building forms

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-11.patch42.62 KB

better forms

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-12.patch46.96 KB

Add form to generate RSA key

pwolanin’s picture

pwolanin commented
Status: Needs work » Needs review
StatusFileSize
new 3013156-13.patch50.94 KB

ready for initial review.

Status: Needs review » Needs work

The last submitted patch, 13: 3013156-13.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

pwolanin’s picture

pwolanin commented
Status: Needs work » Needs review
StatusFileSize
new 3013156-15.patch53.27 KB

oops, needed to use the full URL becuase testbot is in a subdirectory. Also added more test assertions.

pwolanin’s picture

pwolanin commented
Title: Create a submodule to handle per-user RSA / elliptic curve keys » Create a submodule to handle per-user RSA keys

Status: Needs review » Needs work

The last submitted patch, 15: 3013156-15.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

pwolanin’s picture

pwolanin commented
StatusFileSize
new 3013156-16.patch53.27 KB

Annoying, passes locally. try without a check for redirect.

pwolanin’s picture

pwolanin commented
Status: Needs work » Needs review
StatusFileSize
new 3013156-19.patch53.03 KB

Ok, IDK why the testbot doesn't redirect, but it's not that important.

  • pwolanin committed f20a24c on 8.x-1.x 
    Issue #3013156 by pwolanin: Create a submodule to handle per-user RSA...
dandrews’s picture

dandrews commented

Code from patch 19 reviewed. Everything was well written, great documentation, and lots of tests. CI is passing.
Tested on Drupal 8.8.6, worked great.

Item noted for future improvement: Configurable expiration time for JWT. Related issue JWT Make expiration time configurable

dandrews’s picture

dandrews commented
Status: Needs review » Reviewed & tested by the community
pwolanin’s picture

pwolanin commented
Status: Reviewed & tested by the community » Fixed
pwolanin’s picture

pwolanin commented

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.