Add route / blueprint to download the JWT public key without the JSON wrapper
Closed this issue · 3 comments
shevron commented
Currently external services can download the JWT public key (if configured) via the API by calling the authz_public_key action. However, this has the problem of being wrapped in JSON:
$ curl -s -H "Authorization: $CKAN_API_KEY" http://127.0.0.1:5000/api/3/action/authz_public_key | jq
{
"help": "http://ckan-dev:5000/api/3/action/help_show?name=authz_public_key",
"success": true,
"result": {
"public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwa1W4fb4CgFH5EXsLlJI\nVr+r2ZB17hR4mXNhJhj4hXm4UQlC6Rnjc1MJ1fse3ClkaD5GFbGfwnDr2iXMaoBo\nv2F1mZR4TG/5muIEUEwUg2t5z/CBfYMIGG3Fucg9Et2rmc2MQPCPnN5H8XvzCgE4\nWa662tMtGZmM1FtKtMVEM3MRo4rHNS4wcl+SPoKLgAOgWQtIMVy0AYyldRfBVG3+\nvrB4Y++leN8DZZrLYALL93WmMiaZE9Al8rndTte5gIaLJ2cnHXL8KEw6JPBXwP92\nQEIzFlh0Nbt0FSRnX9wrJovJikTeMWD75zevGP5I4Oag0oiARVh5iZHNsEYki2dC\nXOX01Eqh2ZXwuqOUon5RAaJesdbGz5M6G1zY5CTZ7tzgiDkl1vl0PC12J8XmfTda\npg8OxHi9EI8caqIqATaExSMFSFs+OxEog8vv+DifQfVzCxyGiOkw81NRPw46Qylf\nUBaeSYhylc2KRLuMRfVLT5HMLzG7QJ0jinkaUKGJznCzEqynxa187Ar1Z+SDZ07g\nq54mfdM9B6eS/SEbJhFI9oRFv9BSlo8YXfzLHOdXwrmWZDZmzTKfAtQKY9luSfrL\n8Fe0+w4kGtQ5PLXEe7NWCSS9oXnVAs7/cNxqaKNHF8gj39iBvJdyVdqsMHtXdyvz\nZK4b9J6UQSKjmNaLu8EuVi8CAwEAAQ==\n-----END PUBLIC KEY-----\n"
}
}
This requires client to be aware of our own specific protocol. While we can keep the API action, it would be nice to allow 3rd party services to get the raw key, with no envelope and in PEM format (or whatever key format is used for our JWT algorithm), with a simple GET request.
This would allow integrating services to be much more "stupid" and just know the "JWT public key URL" instead of using a specific API.
shevron commented
The media type should be application/x-pem-file.
shevron commented
Some specifications:
- If no public key is configured (i.e. we are using a symmetric algorithm), the route should return 404.
- If a key is configured it should be sent with
Content-type: application/x-pem-fileheader. - Route should be public and should not require authentication (optionally this could be turned off by config)
- Path should be
/authz/public_key