brut/bincio-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: issue RS256 session cookies when OIDC key is configured

Browse Source 
Login endpoint switches from HS256 JWT to RS256 id_token (aud="bincio",
30-day TTL) when oidc_private_key_pem is set. Existing HS256 sessions
remain valid on bincio-activity until they naturally expire.
This commit is contained in:
Davide Scaini
2026-06-03 15:47:06 +02:00
parent 42bc476882
commit c1c1e7ae4e
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bincio/auth/deps.py
+7 -2
View File
@@ -68,7 +68,12 @@ def _issue_jwt(user: User) -> str:
_ID_TOKEN_TTL = 3600 # 1 hour — short-lived; clients use refresh or re-auth
def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str:
def _issue_id_token(
user: User,
client_id: str,
nonce: str | None = None,
ttl: int | None = None,
) -> str:
"""Issue an RS256 OIDC id_token for the given user and client."""
claims: dict = {
"iss": oidc_issuer,
@@ -83,7 +88,7 @@ def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str
}
if nonce:
claims["nonce"] = nonce
return create_id_token(claims, oidc_private_key_pem, _ID_TOKEN_TTL)
return create_id_token(claims, oidc_private_key_pem, ttl if ttl is not None else _ID_TOKEN_TTL)
# ── Rate limiting ─────────────────────────────────────────────────────────────