Add PS256 and EdDSA signature algorithms to AWX when using OIDC · ansible/awx#15127

(0 评论) (2 反应) (0 负责人)Python (13,071 star) (3,333 fork)batch import

communityhelp wantedtype:enhancement

描述

Please confirm the following

I agree to follow this project's code of conduct.
I have checked the current issues for duplicates.
I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

Logging in using OIDC is successful when RS256 is set on the IDP (keycloak in my case), but unsuccessful when PS256 or EdDSA is set.

"Use EdDSA where possible and use ECDSA when it is not. If you are forced to use RSA, prefer RSASSA-PSS [PS256] over RSASSA-PKCS1-v1_5 [RS256]" (quoted from “JWTs: Which Signing Algorithm Should I Use?”).

Select the relevant components

Steps to reproduce

Set PS256 or EdDSA as the signature algorithm on the IDP side such as keycloak
configure OIDC settings on AWX pointing to that IDP
login with OIDC

Current results

Sugested feature result

stronger security

Additional information

OpenBanking has already made the transition to PS256 since 03/2019
Australian infosec has a requirement for PS256 since 2019

贡献者指南

技术栈: python
领域: authenticationsecuritybackend
议题类型: feature
难度: 3
预计时间: half day
活动状态: fresh
清晰度: mostly clear
前置要求: OIDC knowledgePython JWT library familiarity
新手友好度: 45
研究方向: The issue requests adding support for PS256 and EdDSA JWT signature algorithms in AWX's OIDC authentication flow. To implement, locate the OIDC backend code, likely in files handling JWT verification (e.g., awx/sso/ or similar). Investigate the current algorithm support and extend it to include PS256 and EdDSA. Review linked resources like the Scott Brady article for guidance. Ensure compliance with existing authentication tests.