Implementing Oauth2 JWKS

Dhaval_Dalwadi · June 20, 2023, 6:45am

As mentioned here https://github.com/frappe/frappe/issues/6080#issuecomment-497030145 JWKS is not implemented in frappe

Can we override this class methods in https://github.com/frappe/frappe/blob/develop/frappe/integrations/oauth2.py
and add JWKS any how if we are using frappe cloud

Thanks

revant_one · June 20, 2023, 7:09am

Create custom app
Implement oauth.py in your app instead of frappe.oauth
Refer frappe/integrations/oauth2.py and implement your own endpoints importing your oauth implementation instead of using frappe’s
Optionally, in hooks override whitelisted functions from frappe.integrations.oauth2 by functions from your app. Or you need to change endpoints as per your app’s module structure.

Dhaval_Dalwadi · June 20, 2023, 7:38am

thanks @revant_one will try the custom app

revant_one · June 20, 2023, 8:19am

Frappe uses client_secret (HS256) to sign and verify id_token, if you implement jwks verification then send it as PR, it may be slower than custom app to implement. It’ll be reviewed by frappe developers and community contributors. It’ll help community.

private keys: can be added to some “settings” doctype as child table, it can then also rotate using scheduler events, keep number_of_keys at a time, add new and remove old every rotation_interval days. number_of_keys will always be present at a time.
add jwks endpoint to publish public keys
“settings” will specify HS256 or RS256, default to RS256, publish the algo used in frappe.integrations.oauth2.openid_configuration
as per algo in settings sign id_token