Implementing Oauth2 JWKS

Dhaval_Dalwadi · June 20, 2023, 6:45am

As mentioned here https://github.com/frappe/frappe/issues/6080#issuecomment-497030145 JWKS is not implemented in frappe

Can we override this class methods in https://github.com/frappe/frappe/blob/develop/frappe/integrations/oauth2.py
and add JWKS any how if we are using frappe cloud

Thanks

revant_one · June 20, 2023, 7:09am

Create custom app
Implement oauth.py in your app instead of frappe.oauth
Refer frappe/integrations/oauth2.py and implement your own endpoints importing your oauth implementation instead of using frappe’s
Optionally, in hooks override whitelisted functions from frappe.integrations.oauth2 by functions from your app. Or you need to change endpoints as per your app’s module structure.

Dhaval_Dalwadi · June 20, 2023, 7:38am

thanks @revant_one will try the custom app

revant_one · June 20, 2023, 8:19am

Frappe uses client_secret (HS256) to sign and verify id_token, if you implement jwks verification then send it as PR, it may be slower than custom app to implement. It’ll be reviewed by frappe developers and community contributors. It’ll help community.

private keys: can be added to some “settings” doctype as child table, it can then also rotate using scheduler events, keep number_of_keys at a time, add new and remove old every rotation_interval days. number_of_keys will always be present at a time.
add jwks endpoint to publish public keys
“settings” will specify HS256 or RS256, default to RS256, publish the algo used in frappe.integrations.oauth2.openid_configuration
as per algo in settings sign id_token

root · April 4, 2025, 7:16pm

Hi @Dhaval_Dalwadi,
Did you figured out implementing JWKS or something else ?

I am trying to use frappe as auth provider over all my sites/apps running in my kubernetes cluster.
I tried to use oauth2-proxy with frappe, so to not handle any kind of auth etc in my apps. but due to jwks not being implemented it throws 500 after login and never redirects to original url.
Error redeeming code during OAuth2 callback: could not verify id_token: failed to verify token: failed to verify signature: fetching keys oidc: get keys failed Get "": unsupported protocol scheme ""

revant_one · April 4, 2025, 11:53pm

it is not supported.

root · April 7, 2025, 10:42am

Hi, can you please take a look.

github.com/PrinceBaghel258025/frappe

Implementing JWKS (RS256)

PrinceBaghel258025:version-15 ← PrinceBaghel258025:extend_auth_15

opened 06:25AM - 05 Apr 25 UTC

PrinceBaghel258025

+1337 -57

> Please provide enough information so that others can review your pull request: > Explain the **details** for making this change. What existing problem does the pull request solve? > Screenshots/GIFs

I will try to send a pr.

I am using erpnext in a kubernetes setup and wanted some of my webapps to have frappe as auth provider.
Earlier I was using keycloak with oauth2-proxy(Welcome | OAuth2 Proxy). As it requires JWKS to supported by auth provider. So have tried it and the custom image with this patch just works.
It would be helpful to get some feedback before sending a pr.

revant_one · April 7, 2025, 11:31am

Check comments.
Send it to official frappe/frappe develop branch.

How do you plan to add scope based id_token response?

e.g.

the scope openid adds user id,
email will add email
profile will add name
phone will add phone
custom will add custom string | json