Update docs with details of signing key pairs

README.md

@@ -37,6 +37,17 @@ You will need to create a "certs" directory in the root of the project, and move
 
 Most of the endpoints require a client certificate to be presented. As the directory service is not yet available, the contents of the certificate will not be checked with an external, so any valid certificate will be acceptable. The certificate **is** used to confirm identity, so the same one must be presented in all requests.
 
+## Creating signing certificates
+
+A separate set of certificates are required for signing JWTs. These can be generated using the `signingcerts.sh` script in the `scripts` directory.
+
+```bash
+cd scripts
+./signingcerts.sh
+```
+
+The default configuration will expect these certificate to be in authentication/api/certs. The location can be changed by setting the DIRECTORY_CERTIFICATE and DIRECTORY_PRIVATE_KEY environment variables.
+
 ## Running the local docker environment
 
 The included docker compose file will bring up both APIs. It uses nginx to proxy requests to uvicorn, with nginx configuration to pass through client certificates to the backend, using the same header as used by AWS ALB (`x-amzn-mtls-clientcert`).

authentication/api/auth.py

@@ -167,7 +167,7 @@ def get_thumbprint(cert: str) -> str:
 
 def create_id_token(subject="platform_user") -> str:
     claims = {
-        "iss": "https://perseus-demo-energy.ib1.org",
+        "iss": f"{conf.ISSUER_URL}",
         "sub": subject,
         "aud": conf.CLIENT_ID,
         "exp": int(time.time()) + 3600,

authentication/api/conf.py

@@ -20,7 +20,10 @@
     "CLIENT_SECRET", "uE4NgqeIpuSV_XejQ7Ds3jsgA1yXhjR1MXJ1LbPuyls"
 )
 OAUTH_URL = os.environ.get(
-    "OAUTH_URL", "https://musing-kirch-t48np94ikp.projects.oryapis.com"
+    "OAUTH_URL", "https://vigorous-heyrovsky-1trvv0ikx9.projects.oryapis.com"
+)
+OAUTH_CLIENT_ID = os.environ.get(
+    "OAUTH_CLIENT_ID", "f67916ce-de33-4e2f-a8e3-cbd5f6459c30"
 )
 AUTHORIZATION_ENDPOINT = os.environ.get(
     "AUTHORIZATION_ENDPOINT",

authentication/api/main.py

@@ -66,7 +66,7 @@ async def docs() -> dict:
     return {"docs": "/api-docs"}
 
 
-@app.post("/api/v1/par", response_model=models.PushedAuthorizationResponse)
+@app.post("/api/v1/par", response_model=models.PushedAuthorizationResponse, status_code=201)
 async def pushed_authorization_request(
     response_type: Annotated[str, Form()],
     client_id: Annotated[str, Form()],
@@ -151,7 +151,7 @@ async def authorize(
     # Construct authorization URL with request object and PKCE parameters
     authorization_url = (
         f"{conf.AUTHORIZATION_ENDPOINT}?"
-        f"client_id={conf.CLIENT_ID}&"
+        f"client_id={conf.OAUTH_CLIENT_ID}&"
         f"response_type=code&"
         f"redirect_uri={par_request['redirect_uri']}&"
         f"scope={par_request['scope']}&"
@@ -187,7 +187,7 @@ async def token(
         "grant_type": grant_type,
         "code": code,
         "redirect_uri": redirect_uri,
-        "client_id": client_id,
+        "client_id": conf.OAUTH_CLIENT_ID,
         "code_verifier": code_verifier,
     }
     session = requests.Session()

authentication/tests/test_api.py

@@ -39,7 +39,7 @@ def test_pushed_authorization_request(mock_redis_connection):
         headers={"x-amzn-mtls-clientcert": client_certificate()},
     )
 
-    assert response.status_code == 200
+    assert response.status_code == 201
     print(response.json())
     assert "request_uri" in response.json()
 

scripts/signingcerts.sh

@@ -0,0 +1,5 @@
+# Create a key pair suitable for signing jwts and creating a jwks endpoint
+
+openssl ecparam -name prime256v1 -genkey -noout -out server-signing-private-key.pem 
+openssl ec -in server-signing-private-key.pem -pubout -out server-signing-public-key.pem
+