fix: Removed JWT constants from CMS and added comments on how to generate them

Author: rijuma

cms/envs/common.py

@@ -2530,15 +2530,6 @@
 EXAMS_SERVICE_URL = 'http://localhost:18740/api/v1'
 EXAMS_SERVICE_USERNAME = 'edx_exams_worker'
 
-############## Settings for JWT token handling ##############
-TOKEN_SIGNING = {
-    'JWT_ISSUER': 'http://127.0.0.1:8740',
-    'JWT_SIGNING_ALGORITHM': 'RS512',
-    'JWT_SUPPORTED_VERSION': '1.2.0',
-    'JWT_PRIVATE_SIGNING_JWK': None,
-    'JWT_PUBLIC_SIGNING_JWK_SET': None,
-}
-
 FINANCIAL_REPORTS = {
     'STORAGE_TYPE': 'localfs',
     'BUCKET': None,

cms/envs/test.py

@@ -343,34 +343,3 @@
         }
     }
 }
-
-############## Settings for JWT token handling ##############
-TOKEN_SIGNING = {
-    'JWT_ISSUER': 'token-test-issuer',
-    'JWT_SIGNING_ALGORITHM': 'RS512',
-    'JWT_SUPPORTED_VERSION': '1.2.0',
-    'JWT_PRIVATE_SIGNING_JWK': '''{
-        "e": "AQAB",
-        "d": "HIiV7KNjcdhVbpn3KT-I9n3JPf5YbGXsCIedmPqDH1d4QhBofuAqZ9zebQuxkRUpmqtYMv0Zi6ECSUqH387GYQF_XvFUFcjQRPycISd8TH0DAKaDpGr-AYNshnKiEtQpINhcP44I1AYNPCwyoxXA1fGTtmkKChsuWea7o8kytwU5xSejvh5-jiqu2SF4GEl0BEXIAPZsgbzoPIWNxgO4_RzNnWs6nJZeszcaDD0CyezVSuH9QcI6g5QFzAC_YuykSsaaFJhZ05DocBsLczShJ9Omf6PnK9xlm26I84xrEh_7x4fVmNBg3xWTLh8qOnHqGko93A1diLRCrKHOvnpvgQ",
-        "n": "o5cn3ljSRi6FaDEKTn0PS-oL9EFyv1pI7dRgffQLD1qf5D6sprmYfWWokSsrWig8u2y0HChSygR6Jn5KXBqQn6FpM0dDJLnWQDRXHLl3Ey1iPYgDSmOIsIGrV9ZyNCQwk03wAgWbfdBTig3QSDYD-sTNOs3pc4UD_PqAvU2nz_1SS2ZiOwOn5F6gulE1L0iE3KEUEvOIagfHNVhz0oxa_VRZILkzV-zr6R_TW1m97h4H8jXl_VJyQGyhMGGypuDrQ9_vaY_RLEulLCyY0INglHWQ7pckxBtI5q55-Vio2wgewe2_qYcGsnBGaDNbySAsvYcWRrqDiFyzrJYivodqTQ",
-        "q": "3T3DEtBUka7hLGdIsDlC96Uadx_q_E4Vb1cxx_4Ss_wGp1Loz3N3ZngGyInsKlmbBgLo1Ykd6T9TRvRNEWEtFSOcm2INIBoVoXk7W5RuPa8Cgq2tjQj9ziGQ08JMejrPlj3Q1wmALJr5VTfvSYBu0WkljhKNCy1KB6fCby0C9WE",
-        "p": "vUqzWPZnDG4IXyo-k5F0bHV0BNL_pVhQoLW7eyFHnw74IOEfSbdsMspNcPSFIrtgPsn7981qv3lN_staZ6JflKfHayjB_lvltHyZxfl0dvruShZOx1N6ykEo7YrAskC_qxUyrIvqmJ64zPW3jkuOYrFs7Ykj3zFx3Zq1H5568G0",
-        "kid": "token-test-sign", "kty": "RSA"
-    }''',
-    'JWT_PUBLIC_SIGNING_JWK_SET': '''{
-        "keys": [
-            {
-                "kid":"token-test-wrong-key",
-                "e": "AQAB",
-                "kty": "RSA",
-                "n": "o5cn3ljSRi6FaDEKTn0PS-oL9EFyv1pI7dffgRQLD1qf5D6sprmYfWVokSsrWig8u2y0HChSygR6Jn5KXBqQn6FpM0dDJLnWQDRXHLl3Ey1iPYgDSmOIsIGrV9ZyNCQwk03wAgWbfdBTig3QSDYD-sTNOs3pc4UD_PqAvU2nz_1SS2ZiOwOn5F6gulE1L0iE3KEUEvOIagfHNVhz0oxa_VRZILkzV-zr6R_TW1m97h4H8jXl_VJyQGyhMGGypuDrQ9_vaY_RLEulLCyY0INglHWQ7pckxBtI5q55-Vio2wgewe2_qYcGsnBGaDNbySAsvYcWRrqDiFyzrJYivodqTQ"
-            },
-            {
-                "kid":"token-test-sign",
-                "e": "AQAB",
-                "kty": "RSA",
-                "n": "o5cn3ljSRi6FaDEKTn0PS-oL9EFyv1pI7dRgffQLD1qf5D6sprmYfWWokSsrWig8u2y0HChSygR6Jn5KXBqQn6FpM0dDJLnWQDRXHLl3Ey1iPYgDSmOIsIGrV9ZyNCQwk03wAgWbfdBTig3QSDYD-sTNOs3pc4UD_PqAvU2nz_1SS2ZiOwOn5F6gulE1L0iE3KEUEvOIagfHNVhz0oxa_VRZILkzV-zr6R_TW1m97h4H8jXl_VJyQGyhMGGypuDrQ9_vaY_RLEulLCyY0INglHWQ7pckxBtI5q55-Vio2wgewe2_qYcGsnBGaDNbySAsvYcWRrqDiFyzrJYivodqTQ"
-            }
-        ]
-    }''',
-}

lms/envs/common.py

@@ -4320,6 +4320,12 @@ def _make_locale_paths(settings):  # pylint: disable=missing-function-docstring
     'JWT_PUBLIC_SIGNING_JWK_SET': None,
 }
 
+# NOTE: In order to create both JWT_PRIVATE_SIGNING_JWK and JWT_PUBLIC_SIGNING_JWK_SET,
+# start devstack on an lms shell and then run the command:
+# > python manage.py lms generate_jwt_signing_key
+# This will output asymmetric JWTs to use here. Read more on this on:
+# https://github.com/openedx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0008-use-asymmetric-jwts.rst
+
 COURSE_CATALOG_URL_ROOT = 'http://localhost:8008'
 COURSE_CATALOG_API_URL = f'{COURSE_CATALOG_URL_ROOT}/api/v1'
 

openedx/core/lib/tests/test_jwt.py

@@ -7,6 +7,7 @@
 from jwkest import BadSignature, Expired, Invalid, MissingKey, jwk
 from jwkest.jws import JWS
 
+from openedx.core.djangolib.testing.utils import skip_unless_lms
 from openedx.core.lib.jwt import _encode_and_sign, create_jwt, unpack_jwt
 
 
@@ -24,6 +25,7 @@
 }
 
 
+@skip_unless_lms
 class TestSign(unittest.TestCase):
     """
     Tests for JWT creation and signing.
@@ -66,6 +68,7 @@ def _verify_jwt(jwt_token):
     return decoded
 
 
+@skip_unless_lms
 class TestUnpack(unittest.TestCase):
     """
     Tests for JWT unpacking.

requirements/edx/base.txt

@@ -80,6 +80,9 @@ boto3==1.36.3
     #   ora2
 botocore==1.36.3
     # via
+    #   -r requirements/edx/kernel.in
+    #   boto3
+    #   s3transfer
 bridgekeeper==0.9
     # via -r requirements/edx/kernel.in
 cachecontrol==0.14.2
@@ -534,8 +537,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via -r requirements/edx/kernel.in
 edx-when==2.5.1
     # via
     #   -r requirements/edx/kernel.in

requirements/edx/development.txt

@@ -844,10 +844,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via
-    #   -r requirements/edx/doc.txt
-    #   -r requirements/edx/testing.txt
 edx-when==2.5.1
     # via
     #   -r requirements/edx/doc.txt

requirements/edx/doc.txt

@@ -628,8 +628,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via -r requirements/edx/base.txt
 edx-when==2.5.1
     # via
     #   -r requirements/edx/base.txt

requirements/edx/testing.txt

@@ -651,8 +651,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via -r requirements/edx/base.txt
 edx-when==2.5.1
     # via
     #   -r requirements/edx/base.txt