Add PS256 and EdDSA signature algorithms to AWX when using OIDC · ansible/awx#15127

(0 comments) (2 reactions) (0 assignees)Python (13,071 stars) (3,333 forks)batch import

communityhelp wantedtype:enhancement

Description

Please confirm the following

I agree to follow this project's code of conduct.
I have checked the current issues for duplicates.
I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

Logging in using OIDC is successful when RS256 is set on the IDP (keycloak in my case), but unsuccessful when PS256 or EdDSA is set.

"Use EdDSA where possible and use ECDSA when it is not. If you are forced to use RSA, prefer RSASSA-PSS [PS256] over RSASSA-PKCS1-v1_5 [RS256]" (quoted from “JWTs: Which Signing Algorithm Should I Use?”).

Select the relevant components

Steps to reproduce

Set PS256 or EdDSA as the signature algorithm on the IDP side such as keycloak
configure OIDC settings on AWX pointing to that IDP
login with OIDC

Current results

Sugested feature result

stronger security

Additional information

OpenBanking has already made the transition to PS256 since 03/2019
Australian infosec has a requirement for PS256 since 2019

Contributor guide

Tech stack: python
Domain: authenticationsecuritybackend
Issue type: feature
Difficulty: 3
Estimated time: half day
Activity status: fresh
Clarity: mostly clear
Prerequisites: OIDC knowledgePython JWT library familiarity
Newbie friendliness: 45
Research direction: The issue requests adding support for PS256 and EdDSA JWT signature algorithms in AWX's OIDC authentication flow. To implement, locate the OIDC backend code, likely in files handling JWT verification (e.g., awx/sso/ or similar). Investigate the current algorithm support and extend it to include PS256 and EdDSA. Review linked resources like the Scott Brady article for guidance. Ensure compliance with existing authentication tests.