Add PS256 and EdDSA signature algorithms to AWX when using OIDC · ansible/awx#15127

(0 comments) (2 reactions) (0 assignees)Python (13,071 stars) (3,333 forks)batch import

communityhelp wantedtype:enhancement

説明

Please confirm the following

I agree to follow this project's code of conduct.
I have checked the current issues for duplicates.
I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

Logging in using OIDC is successful when RS256 is set on the IDP (keycloak in my case), but unsuccessful when PS256 or EdDSA is set.

"Use EdDSA where possible and use ECDSA when it is not. If you are forced to use RSA, prefer RSASSA-PSS [PS256] over RSASSA-PKCS1-v1_5 [RS256]" (quoted from “JWTs: Which Signing Algorithm Should I Use?”).

Select the relevant components

Steps to reproduce

Set PS256 or EdDSA as the signature algorithm on the IDP side such as keycloak
configure OIDC settings on AWX pointing to that IDP
login with OIDC

Current results

Sugested feature result

stronger security

Additional information

OpenBanking has already made the transition to PS256 since 03/2019
Australian infosec has a requirement for PS256 since 2019

コントリビューターガイド

技術スタック: python
領域: authenticationsecuritybackend
Issue 種別: feature
難度: 3
推定時間: half day
活動状況: fresh
明確さ: mostly clear
前提条件: OIDC knowledgePython JWT library familiarity
初心者向け度: 45
調査方針: The issue requests adding support for PS256 and EdDSA JWT signature algorithms in AWX's OIDC authentication flow. To implement, locate the OIDC backend code, likely in files handling JWT verification (e.g., awx/sso/ or similar). Investigate the current algorithm support and extend it to include PS256 and EdDSA. Review linked resources like the Scott Brady article for guidance. Ensure compliance with existing authentication tests.