[REF] Manually verify ID token using PyJWT instead of google_auth

[alyssadai]

• Closes Switch to manual JWT verification of ID token from IdP #385
• Related to [REF] Manually verify ID token using PyJWT instead of google_auth federation-api#139

Changes proposed in this pull request:

• Switch to using PyJWT library to 'manually' verify ID tokens based on provided IdP public keys, issuers, etc.
• Switch to Auth0 as IdP

Checklist

This section is for the PR reviewer

• PR has an interpretable title with a prefix ([ENH], [FIX], [REF], [TST], [CI], [MNT], [INF], [MODEL], [DOC]) (see our Contributing Guidelines for more info)
• PR has a label for the release changelog or skip-release (to be applied by maintainers only)
• PR links to GitHub issue with mention Closes #XXXX
• Tests pass
• Checks pass
• If the PR changes the SPARQL query template, the default Neurobagel query file has also been regenerated

For new features:

• Tests have been added

For bug fixes:

• There is at least one test that would fail under the original bug conditions.

Summary by Sourcery

Replace Google ID token verification with manual verification using PyJWT, updating the security module to use PyJWT for token decoding and verification. Update the OAuth2 authorization URL to use Auth0 instead of Google. Modify the requirements to remove google-auth and add necessary dependencies for PyJWT.

Enhancements:

• Replace Google ID token verification with manual verification using PyJWT.

Build:

• Remove google-auth from requirements and add PyJWT, cffi, and cryptography packages.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR replaces Google's authentication library with PyJWT for ID token verification. The implementation involves manually verifying JWT tokens using PyJWT's JWKS client to fetch signing keys from Auth0's JWKS endpoint. The changes maintain the same security guarantees while switching the authentication provider from Google to Auth0.

Sequence diagram for ID token verification process

sequenceDiagram
    participant Client
    participant Server
    participant Auth0

    Client->>Server: Send ID token
    Server->>Auth0: Fetch signing keys from JWKS endpoint
    Auth0-->>Server: Return signing keys
    Server->>Server: Verify token using PyJWT
    Server-->>Client: Return verification result

Loading

Updated class diagram for security module

classDiagram
    class Security {
        +check_client_id()
        +verify_token(token: str)
    }

    class PyJWKClient {
        +get_signing_key_from_jwt(jwt: str)
    }

    class PyJWTError

    Security --> PyJWKClient : uses
    Security --> PyJWTError : handles exception

Loading

File-Level Changes

Change	Details	Files
Replace Google Auth with PyJWT for token verification	Add PyJWKClient initialization with Auth0's JWKS endpoint Update token verification logic to use PyJWT's decode function Configure JWT verification options to require specific claims Replace GoogleAuthError with PyJWTError in exception handling	app/api/security.py
Update authentication configuration and dependencies	Remove google-auth dependency Add PyJWT and cryptography dependencies Update OAuth2 authorization URL to point to Auth0 endpoint	requirements.txt app/api/routers/query.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#385	Switch from google_auth package to PyJWT for manual JWT verification	✅
#385	Implement manual JWT token verification with public keys	✅
#385	Remove google_auth dependency	✅

Possibly linked issues

• Switch to manual JWT verification of ID token from IdP #385: The PR implements manual JWT verification using PyJWT, addressing the issue's need to switch from google_auth.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @alyssadai - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• The Bearer scheme verification should be implemented rather than left as a TODO (link)
• Replace print statement with proper logging (link)

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🔴 Security: 2 blocking issues
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

Attention: Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.

Please upload report for BASE (main@ef2e533). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
app/api/security.py	88.88%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #386   +/-   ##
=======================================
  Coverage        ?   97.05%           
=======================================
  Files           ?       24           
  Lines           ?      850           
  Branches        ?        0           
=======================================
  Hits            ?      825           
  Misses          ?       25           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[surchs]

Nice, thanks @alyssadai !

🧑‍🍳

[surchs]

neurobagel/query-tool#380 is merged, @alyssadai you can merge this too

[neurobagel-bot]

🚀 PR was released in v0.4.3 🚀