Set Up JWT_PUBLIC_SIGNING_JWK_SET and JWT_PRIVATE_SIGNING_JWK

Log onto server

Switch to edxapp user

sudo -H -u edxapp bash
source /edx/app/edxapp/edxapp_env
cd /edx/app/edxapp/edx-platform

Create a new file which you can call key_gen.py, with the following code:

from Cryptodome.PublicKey import RSA
from jwkest import jwk

# Ask for Key Identifier
key_identifier = raw_input("Key Identifier? ")

print ""
print ""

rsa_key = RSA.generate(2048)
rsa_jwk = jwk.RSAKey(kid=key_identifier, key=rsa_key)

public_keys = jwk.KEYS()
public_keys.append(rsa_jwk)
serialized_public_keys_json = public_keys.dump_jwks()

print ("JWT_PUBLIC_SIGNING_JWK_SET value for lms.env.json and cms.env.json is")
JWT_PUBLIC_SIGNING_JWK_SET = serialized_public_keys_json.replace('"', '\\"')
print ""
print (JWT_PUBLIC_SIGNING_JWK_SET)

print ""
print ""

print ("JWT_PRIVATE_SIGNING_JWK value for lms.env.json and cms.env.json is")
# Converting to string
JWT_PRIVATE_SIGNING_JWK = str(rsa_jwk)
#print JWT_PRIVATE_SIGNING_JWK
# Replacing single quotes by double quotes
JWT_PRIVATE_SIGNING_JWK = JWT_PRIVATE_SIGNING_JWK.replace('\'', '\"')
#print JWT_PRIVATE_SIGNING_JWK
# Escaping double quotes
JWT_PRIVATE_SIGNING_JWK = JWT_PRIVATE_SIGNING_JWK.replace('"', '\\"')
#print JWT_PRIVATE_SIGNING_JWK
# removing unicode for some values
JWT_PRIVATE_SIGNING_JWK = JWT_PRIVATE_SIGNING_JWK.replace('u\\', '\\')
print ""
print (JWT_PRIVATE_SIGNING_JWK)

print ""
print ""

Run the file

python2 key_gen.py

When prompted, enter an Key ID (I think this can be anything).

ecommerce_key

JSON Arrays should be returned for JWT_PUBLIC_SIGNING_JWK_SET and JWT_PRIVATE_SIGNING_JWK. Save these.

JWT_PUBLIC_SIGNING_JWK_SET value for lms.env.json and cms.env.json is

{\"keys\": [{\"kid\": \"ecommerce_key\", \"e\": \"AQAB\", \"kty\": \"RSA\", \"n\": \"aDwmveO88wvegtk5_JQdE5T1FvBrCppG6NoYH5LT8EnZdhtdJWDnadISCgzLgyH2jTsSD2U7_tbJJMw5sStbZGCLYvoVenHFRlC-E4AMLaU5uAH68qlyTp3hFGyxTSSPISaCTndxVaClo6sRnfPRfotQI1bZ8p4PCRHwWbFATNW1eAySSYnO5ecNCGkvN84c5aCAFjwuEGNe1p9kerw3hn6ssK4LfU5wJ9QEqZJ6uFy67V0IHzhbCpWxO0mYC5GSVFRgtrppRz8JgQOdtYZk20OqqEPz0Mh3FzyIT3Sl7m6zmO4SksbjWYx3zUc-Ff4lSmprhEoc0HIybO3W_cCkrw\"}]}


JWT_PRIVATE_SIGNING_JWK value for lms.env.json and cms.env.json is

{\"e\": \"AQAB\", \"d\": \"AeOGWHKmLmxXxWSSmfY9bVkJzM7gdeuOk5MmRuwCaRfnE-D_CojjnMIbiIAZN_MtGNQjfm2soSIKvzaBl39vC4ijGeRDXE_zlJVCNZ-BD-OYgqKgU1AB-Ycsboy-F1ha8hjFwqx9wl5ruf0k0RGBYlI-08hunLCtg_QbCwzZu69LvM8SeZRlOlSlU308vMmCdUHrXRjsOBaMUrmjXxCkfjF2Nipt6Id1qoiL86sYObBbiWcgdbir1FKw458p0Yt2DQPrZsG0b0mpV0P_2CHlVXPA5lJpA6tV3F5g8SZyUmxzcuanXhjRfq7puK5aQ1YXTgqfAqIbhAlnGsP2hKsomQ\", \"n\": \"aDwmveO88wvegtk5_JQdE5T1FvBrCppG6NoYH5LT8EnZdhtdJWDnadISCgzLgyH2jTsSD2U7_tbJJMw5sStbZGCLYvoVenHFRlC-E4AMLaU5uAH68qlyTp3hFGyxTSSPISaCTndxVaClo6sRnfPRfotQI1bZ8p4PCRHwWbFATNW1eAySSYnO5ecNCGkvN84c5aCAFjwuEGNe1p9kerw3hn6ssK4LfU5wJ9QEqZJ6uFy67V0IHzhbCpWxO0mYC5GSVFRgtrppRz8JgQOdtYZk20OqqEPz0Mh3FzyIT3Sl7m6zmO4SksbjWYx3zUc-Ff4lSmprhEoc0HIybO3W_cCkrw\", \"q\": \"w7OSZk5b1l_11yxV6-DDmpyNm4w-Z83TWVnm18rlDOXTWaHe4XqvFOhd3qhiLQgJlVSwHs_BiguPassTYPqZKfaobKLyGINb8sG54clz6A7lwngNWQYLUEXFzL-mmol26lrQXZKblj7Sp-157Hj4-zmMSte5Y-4Fv-w_eS4YKzM\", \"p\": \"vNG3xrvfpP7b0UFGORXl7dZKi-kk6Tkpq0krRz7JIlYr3uuG5_AAKnXRZmtGjif2jUBQ6XdSuweiYyAHmEGkqkbbVr-dfRcXkGGDyzPEsO5kbjTM1gGSQIkjBKJNJwu8PxQ6LVT7sqczzi9ZnAgqyqoXKlWtLE8Pe-HR48uSgJU\", \"kid\": \"ecommerce_key\", \"kty\": \"RSA\"}

In lms.env.json, modify JWT_PUBLIC_SIGNING_JWK_SET, JWT_PRIVATE_SIGNING_JWK, and JWT_SIGNING_ALGORITHM

The following is an excerpt with some values changed.

        "JWT_ISSUERS": [
            {
                "AUDIENCE": "ecommerce-key",
                "ISSUER": "https://example.com/oauth2",
                "SECRET_KEY": "ecommerce-secret"
            }
        ],
        "JWT_PRIVATE_SIGNING_JWK": "{\"e\": \"AQAB\", \"d\": \"AeOGWHKmLmxXxWSSmfY9bVkJzM7gdeuOk5MmRuwCaRfnE-D_CojjnMIbiIAZN_MtGNQjfm2soSIKvzaBl39vC4ijGeRDXE_zlJVCNZ-BD-OYgqKgU1AB-Ycsboy-F1ha8hjFwqx9wl5ruf0k0RGBYlI-08hunLCtg_QbCwzZu69LvM8SeZRlOlSlU308vMmCdUHrXRjsOBaMUrmjXxCkfjF2Nipt6Id1qoiL86sYObBbiWcgdbir1FKw458p0Yt2DQPrZsG0b0mpV0P_2CHlVXPA5lJpA6tV3F5g8SZyUmxzcuanXhjRfq7puK5aQ1YXTgqfAqIbhAlnGsP2hKsomQ\", \"n\": \"aDwmveO88wvegtk5_JQdE5T1FvBrCppG6NoYH5LT8EnZdhtdJWDnadISCgzLgyH2jTsSD2U7_tbJJMw5sStbZGCLYvoVenHFRlC-E4AMLaU5uAH68qlyTp3hFGyxTSSPISaCTndxVaClo6sRnfPRfotQI1bZ8p4PCRHwWbFATNW1eAySSYnO5ecNCGkvN84c5aCAFjwuEGNe1p9kerw3hn6ssK4LfU5wJ9QEqZJ6uFy67V0IHzhbCpWxO0mYC5GSVFRgtrppRz8JgQOdtYZk20OqqEPz0Mh3FzyIT3Sl7m6zmO4SksbjWYx3zUc-Ff4lSmprhEoc0HIybO3W_cCkrw\", \"q\": \"w7OSZk5b1l_11yxV6-DDmpyNm4w-Z83TWVnm18rlDOXTWaHe4XqvFOhd3qhiLQgJlVSwHs_BiguPassTYPqZKfaobKLyGINb8sG54clz6A7lwngNWQYLUEXFzL-mmol26lrQXZKblj7Sp-157Hj4-zmMSte5Y-4Fv-w_eS4YKzM\", \"p\": \"vNG3xrvfpP7b0UFGORXl7dZKi-kk6Tkpq0krRz7JIlYr3uuG5_AAKnXRZmtGjif2jUBQ6XdSuweiYyAHmEGkqkbbVr-dfRcXkGGDyzPEsO5kbjTM1gGSQIkjBKJNJwu8PxQ6LVT7sqczzi9ZnAgqyqoXKlWtLE8Pe-HR48uSgJU\", \"kid\": \"ecommerce_key\", \"kty\": \"RSA\"}",
        "JWT_PUBLIC_SIGNING_JWK_SET": "{\"keys\": [{\"kid\": \"ecommerce_key\", \"e\": \"AQAB\", \"kty\": \"RSA\", \"n\": \"aDwmveO88wvegtk5_JQdE5T1FvBrCppG6NoYH5LT8EnZdhtdJWDnadISCgzLgyH2jTsSD2U7_tbJJMw5sStbZGCLYvoVenHFRlC-E4AMLaU5uAH68qlyTp3hFGyxTSSPISaCTndxVaClo6sRnfPRfotQI1bZ8p4PCRHwWbFATNW1eAySSYnO5ecNCGkvN84c5aCAFjwuEGNe1p9kerw3hn6ssK4LfU5wJ9QEqZJ6uFy67V0IHzhbCpWxO0mYC5GSVFRgtrppRz8JgQOdtYZk20OqqEPz0Mh3FzyIT3Sl7m6zmO4SksbjWYx3zUc-Ff4lSmprhEoc0HIybO3W_cCkrw\"}]}",
        "JWT_SECRET_KEY": "ecommerce-secret",
        "JWT_SIGNING_ALGORITHM": "RS512"
    },
    "JWT_EXPIRATION": 30,

Next edit /edx/etc/ecommerce.yml and update JWT_ALGORITHM JWT_PUBLIC_SIGNING_JWK_SET

JWT_AUTH:
    JWT_ALGORITHM: RS512
    JWT_DECODE_HANDLER: ecommerce.extensions.api.handlers.jwt_decode_handler
    JWT_ISSUERS:
    -   AUDIENCE: ecommerce-key
        ISSUER: https://example.com/oauth2
        SECRET_KEY: ecommerce-secret
    -   AUDIENCE: SET-ME-PLEASE
        ISSUER: discoverystaff
        SECRET_KEY: SET-ME-PLEASE
    JWT_LEEWAY: 1
    JWT_PUBLIC_SIGNING_JWK_SET: {\"keys\": [{\"kid\": \"ecommerce_key\", \"e\": \"AQAB\", \"kty\": \"RSA\", \"n\": \"aDwmveO88wvegtk5_JQdE5T1FvBrCppG6NoYH5LT8EnZdhtdJWDnadISCgzLgyH2jTsSD2U7_tbJJMw5sStbZGCLYvoVenHFRlC-E4AMLaU5uAH68qlyTp3hFGyxTSSPISaCTndxVaClo6sRnfPRfotQI1bZ8p4PCRHwWbFATNW1eAySSYnO5ecNCGkvN84c5aCAFjwuEGNe1p9kerw3hn6ssK4LfU5wJ9QEqZJ6uFy67V0IHzhbCpWxO0mYC5GSVFRgtrppRz8JgQOdtYZk20OqqEPz0Mh3FzyIT3Sl7m6zmO4SksbjWYx3zUc-Ff4lSmprhEoc0HIybO3W_cCkrw\"}]}
    JWT_SECRET_KEY: ecommerce-secret
    JWT_VERIFY_EXPIRATION: true

Restart Everything

sudo /edx/bin/supervisorctl restart all

StudyGo Training Documents

next

Set Up JWT_PUBLIC_SIGNING_JWK_SET and JWT_PRIVATE_SIGNING_JWK