zzstoatzz.io / plyr.fm
music on atproto plyr.fm
fork atom
plyr.fm / scripts / gen_oauth_jwk.py
at main 1.4 kB view raw
1#!/usr/bin/env python3 2"""generate ES256 JWK for OAuth confidential client. 3 4outputs a JSON string suitable for the OAUTH_JWK environment variable. 5 6usage: 7 uv run python scripts/gen_oauth_jwk.py 8 9then add to your .env: 10 OAUTH_JWK='{"kty":"EC","crv":"P-256",...}' 11""" 12 13import json 14import time 15 16from cryptography.hazmat.primitives import serialization 17from cryptography.hazmat.primitives.asymmetric import ec 18from jose import jwk 19 20 21def generate_jwk() -> str: 22 """generate ES256 (P-256) JWK for OAuth client authentication.""" 23 # generate P-256 (secp256r1) key pair 24 private_key = ec.generate_private_key(ec.SECP256R1()) 25 26 # serialize to PEM 27 pem_bytes = private_key.private_bytes( 28 encoding=serialization.Encoding.PEM, 29 format=serialization.PrivateFormat.PKCS8, 30 encryption_algorithm=serialization.NoEncryption(), 31 ) 32 33 # convert to JWK using python-jose 34 key_obj = jwk.construct(pem_bytes, algorithm="ES256") 35 jwk_dict = key_obj.to_dict() 36 37 # add key ID based on timestamp (for key rotation) 38 jwk_dict["kid"] = str(int(time.time())) 39 jwk_dict["use"] = "sig" 40 jwk_dict["alg"] = "ES256" 41 42 return json.dumps(jwk_dict) 43 44 45if __name__ == "__main__": 46 jwk_json = generate_jwk() 47 print("generated ES256 JWK for OAuth confidential client:\n") 48 print(jwk_json) 49 print("\nadd to your .env file as:") 50 print(f"OAUTH_JWK='{jwk_json}'")