Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deck enforces a secret for RS256 JWT auth details #181

Closed
StuAtKong opened this issue Jul 1, 2020 · 1 comment
Closed

deck enforces a secret for RS256 JWT auth details #181

StuAtKong opened this issue Jul 1, 2020 · 1 comment

Comments

@StuAtKong
Copy link

Trying to create a consumer with JWT credentials using the RS256 algorithm. For the RS256 Algorithm, the secret field is non-mandatory. But, deck sync command mandates to provide the field, as given below

# deck sync --headers kong-admin-token:my-token Error: reading file: validating file content: 1 errors occurred: consumers.0.jwt_secrets.0: secret is required

The admin API does allow a null secret to be used with the RS256 algorithm. I tried editing the kong.yaml file and setting the secret to nothing, null and an empty string and all gave the same error i.e. secret is required
This was referenced Jul 1, 2020
Closed
Closed
@rainest
Copy link
Contributor

rainest commented Jul 2, 2020

We're unfortunately kinda stuck here: the validation requirements for jwt-auth are a bit odd in that some fields are required, but only sometimes, and technically no fields are required, though some essentially are in that the fill in default values.

That complicates declarative configuration because we want to know for sure that we have a both valid and complete representation of the plugin configuration, while also not wanting too complex of validation rules (since we don't want to replicate logic in Kong that may change as much as possible).

The upshot here is that unfortunately there's not much we can do that satisfies both goals well, and the unnecessary requirement has a workaround: filling out the field with a dummy value bypasses the check, but doesn't change the plugin behavior (the setting is just ignored in the the other mode).

I'll update documentation to reflect the issue and instruct readers to configure it regardless of whether it's truly required.

@hbagdi hbagdi closed this as completed Jul 2, 2020
rainest added a commit to Kong/docs.konghq.com that referenced this issue Jul 2, 2020
@rainest
docs(jwt) add decK and KIC warnings to jwt-auth
6b52931 
Add warning for decK and KIC users to jwt-auth/JWT credential docs.
Please see Kong/deck#181 and
Kong/kubernetes-ingress-controller#750 for
background.
@rainest rainest mentioned this issue Jul 2, 2020
Merged
rainest added a commit to Kong/docs.konghq.com that referenced this issue Jul 6, 2020
@rainest @lena-larionova
docs(jwt) add decK and KIC warnings to jwt-auth (#2156)
540148f 
Add warning for decK and KIC users to jwt-auth/JWT credential docs.
Please see Kong/deck#181 and
Kong/kubernetes-ingress-controller#750 for
background.

Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com>
@ffjeremy ffjeremy mentioned this issue Feb 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove required jwt-auth fields from schema rainest/deck
3 participants
@rainest @hbagdi @StuAtKong