backend.ai/src/ai/backend/common/jwt/__init__.py at 1cb4e9f2dc54913aab6ea3fec93d02ff8dabc7e9 · lablup/backend.ai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
"""
JWT authentication module for GraphQL Federation.

This module provides JWT-based authentication for GraphQL requests going through
Hive Router. It uses the X-BackendAI-Token custom header to avoid conflicts with
existing Bearer token usage in appproxy.

Supports both HS256 (symmetric, per-user secret keys) and RS256 (asymmetric,
RSA key pairs) signing algorithms, with JWKS utilities for distributed key
management.

Key components:
- JWTSigner: Generates JWT tokens from authenticated user context (webserver)
- JWTValidator: Validates JWT tokens and extracts user claims (manager)
- JWTConfig: Configuration for JWT authentication
- JWTClaims: Dataclass representing JWT payload claims
- JWKSKeySet: Public key set indexed by key ID for RS256 validation
- JWKSFetcher: Async JWKS endpoint fetcher with TTL caching
- Key utilities: RSA key generation, loading, serialization, and JWK conversion

Example usage (HS256):
    from ai.backend.common.jwt import JWTSigner, JWTConfig, JWTUserContext

    config = JWTConfig()
    signer = JWTSigner(config)

    user_context = JWTUserContext(
        access_key=access_key,
        role="user",
    )
    token = signer.generate_token(user_context, secret_key)

Example usage (RS256):
    from ai.backend.common.jwt import JWTSigner, JWTConfig, JWTUserContext
    from ai.backend.common.jwt.keys import load_private_key

    config = JWTConfig(algorithm="RS256")
    signer = JWTSigner(config)
    private_key = load_private_key(Path("/path/to/private.pem"))
    token = signer.generate_token(user_context, private_key=private_key, kid="key-1")
"""

from ai.backend.common.jwt.config import JWTAlgorithm, JWTConfig
from ai.backend.common.jwt.exceptions import (
    JWKSError,
    JWKSFetchError,
    JWKSKeyNotFoundError,
    JWTDecodeError,
    JWTError,
    JWTExpiredError,
    JWTInvalidClaimsError,
    JWTInvalidSignatureError,
)
from ai.backend.common.jwt.jwks import JWKSFetcher, JWKSKeySet
from ai.backend.common.jwt.keys import (
    generate_rsa_key_pair,
    load_private_key,
    load_public_key,
    private_key_to_pem,
    public_key_to_jwk,
    public_key_to_pem,
)
from ai.backend.common.jwt.signer import JWTSigner
from ai.backend.common.jwt.types import JWTClaims, JWTUserContext
from ai.backend.common.jwt.validator import JWTValidator

__all__ = [
    # Configuration
    "JWTAlgorithm",
    "JWTConfig",
    # Types
    "JWTClaims",
    "JWTUserContext",
    # Core classes
    "JWTSigner",
    "JWTValidator",
    # JWKS
    "JWKSKeySet",
    "JWKSFetcher",
    # Key management
    "generate_rsa_key_pair",
    "load_private_key",
    "load_public_key",
    "private_key_to_pem",
    "public_key_to_pem",
    "public_key_to_jwk",
    # Exceptions
    "JWTError",
    "JWTExpiredError",
    "JWTInvalidSignatureError",
    "JWTInvalidClaimsError",
    "JWTDecodeError",
    "JWKSError",
    "JWKSFetchError",
    "JWKSKeyNotFoundError",
]