Simplify JWT_ISSUER validation

[robrap]

Ideally we would set `verify_iss' to True on this line:

edx-drf-extensions/edx_rest_framework_extensions/auth/jwt/decoder.py

Line 261 in ae7416f

'verify_iss': False, # TODO (ARCH-204): manually verify until issuer is configured correctly.

This would be in place of the manual verification done across all the JWT_ISSUERS, using this code (which could be removed):

edx-drf-extensions/edx_rest_framework_extensions/auth/jwt/decoder.py

Lines 275 to 291 in ae7416f

	# TODO (ARCH-204): verify issuer manually until it is properly configured.
	token_issuer = decoded_token.get('iss')
	# .. custom_attribute_name: jwt_auth_issuer
	# .. custom_attribute_description: Value set to the JWT auth issuer.
	set_custom_attribute('jwt_auth_issuer', token_issuer)
	issuer_matched = any(issuer['ISSUER'] == token_issuer for issuer in get_jwt_issuers())
	if token_issuer == jwt_issuer['ISSUER']:
	# .. custom_attribute_name: jwt_auth_issuer_verification
	# .. custom_attribute_description: Depending on issuer verification, the value will
	# be one of: matches-first-issuer, matches-later-issuer, or no-match.
	set_custom_attribute('jwt_auth_issuer_verification', 'matches-first-issuer')
	elif issuer_matched:
	set_custom_attribute('jwt_auth_issuer_verification', 'matches-later-issuer')
	else:
	set_custom_attribute('jwt_auth_issuer_verification', 'no-match')
	logger.info('Token decode failed due to mismatched issuer [%s]', token_issuer)
	raise jwt.InvalidTokenError('%s is not a valid issuer.' % token_issuer)

Note: this code could be removed once monitoring proves out that jwt_auth_issuer_verification always has a value of matches-first-issuer across services, especially including ecommerce and discovery, which still have add settings.

• Ecommerce example to be cleaned up: https://github.com/openedx/configuration/blob/7a1f160b4fd0eea9101d5316123039ee57425a4c/playbooks/roles/ecommerce/defaults/main.yml#L67
• All uses (including list with single item): https://github.com/search?q=%28org%3Aopenedx+OR+org%3Aedx%29+JWT_ISSUERS&type=code&p=1

Note: Last discussed, it seemed to make sense the JWT_ISSUERS would remain a list, just in case we want to expand again in the future for rotating or moving.

[feanil]

@robrap the last note here seems to suggest that we would still want to manually verify the issuers because then we could have a list of valid issuers? Is that right or is there a way to do this with the underlying JWT library?

[robrap]

@feanil: One possibility is to run through the list and pull out the issuer and audience and keys for each item and use the libary's validation. If it works, success. If not, move on to the next one. This is basically what the old ecommerce decoder did.

In the past, we were trying to get down to a single issuer to make it clear that LMS should be the only identity provider. However, while we may want a single identity provider, we might need a list to migrate to a new provider in the future.

Also note that JWT_PUBLIC_SIGNING_JWK_SET contains a set of keys, but that is meant for rotating keys. We currently have one list, and it isn't part of the ISSUERS list. We could make a separate decision as to whether or not each issuer could have its own jwk set, which could override the main one, if you didn't want to combine keys from different issuers. Sorry if this is confusing, and it certainly is not urgent. For now, we'd just add all keys to the same set, and we'd try all keys for each issuer, even if they weren't relevant.