added jwt-key-file option #111
Conversation
|
Just in case it's not clear, the empty jwt key file that is generated in the Dockerfiles should have zero effect on anything. It's only there so that you can copy a signing key in while doing a custom build and use it in GCP with the login.gov provider. An example of that can be found here: https://github.com/18F/gcp-appengine-template/blob/3c9c979c1f519b7546c77feecfeca4189e79e835/.circleci/config.yml#L311-L341 |
|
Any comments here? This is the last change remaining that is preventing me from using upstream for my project. No rush or anything, but I just wanted to make sure that this wasn't forgotten. :-) |
There was a problem hiding this comment.
I've added a couple of comments in-line
I think we should handle the case where jwt-key and jwt-key-file are set as an error, I think just saying that jwt-key takes precedence in the code would be a bit surprising to the average user perhaps?
Also, could you please update the documentation in the ReadMe to reflect the changes and explain the two parameters?
|
OK. I think I have incorporated all your suggestions. The commandline option list in the README looks big, but I just updated it to the output of oauth_proxy -h from master, which seems to have a different format now. Let me know what you think! |
|
OK. Travis is unstuck now. Should be ready to go! |
There was a problem hiding this comment.
Could you possibly rebase this on top of our master branch and squash down the commits? If travis gets stuck again please let me know and I'll kick it.
The changelog has been updated since we cut a release last week, but for some reason it's not showing as a conflict, the changelog modification will need fixing in this before we can merge. Other than that it's all good 😄
timothy-spencer
force-pushed
the
jwtsigningkeyfile
branch
from
724c47e
to
d550537
Compare
timothy-spencer
force-pushed
the
jwtsigningkeyfile
branch
from
d550537
to
1ae62a3
Compare
|
Done! Rebasing/squashing is not something that I normally do, so please check my work. :-) Thanks for being responsive! |
Description
This adds the ability to have a JWT Key file for login.gov to be specified by a filesystem path as well as the environment variable. It also adds some stuff to the build process so that a jwt key file can be copied in at build time.
Motivation and Context
This is useful for GCP App Engine custom runtime builds, because you cannot use multiline variables in their app.yaml, so you have to build the key into the container and then tell it where it is by setting OAUTH2_PROXY_JWT_KEY_FILE=/etc/ssl/private/jwt_signing_key.pem in app.yaml instead.
How Has This Been Tested?
I have tested this through
go test ./...and through using this code in my own GCP pilot project.Checklist: