auth: enable S3 JWT auth as automatic fallback

Co-authored-by: Colin MacNaughton <cmacnaughton@nvidia.com>
Signed-off-by: Aaron Wilson <aawilson@nvidia.com>

Author: aaronnw

ais/prxauth.go

@@ -219,16 +219,17 @@ func (p *proxy) delToken(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-// Validates a token from the request header
-// When config.Auth.AllowS3TokenCompat is enabled, also checks X-Amz-Security-Token header
+// Validates a token from the request header.
+// Supports both standard Bearer tokens and X-Amz-Security-Token
+// as fallback for AWS SDK compatibility.
 func (p *proxy) validateToken(hdr http.Header) (*tok.AISClaims, error) {
-	token, err := tok.ExtractToken(hdr, cmn.Rom.AllowS3TokenCompat())
+	tokenHdr, err := tok.ExtractToken(hdr)
 	if err != nil {
 		return nil, err
 	}
-	claims, err := p.authn.validateToken(token)
+	claims, err := p.authn.validateToken(tokenHdr.Token)
 	if err != nil {
-		nlog.Errorf("invalid token: %v", err)
+		nlog.Errorf("invalid token from header %q: %v ", tokenHdr.Header, err)
 		return nil, err
 	}
 	return claims, nil

ais/test/s3_compat_test.go

@@ -15,7 +15,6 @@ import (
 	"net/http"
 	"net/url"
 	"os"
-	"strconv"
 	"strings"
 	"sync"
 	"testing"
@@ -142,8 +141,8 @@ func getS3Credentials(t *testing.T) aws.CredentialsProvider {
 }
 
 // setupS3Compat configures the cluster for S3 compatibility tests
-// If auth is enabled, it automatically enables S3 reverse proxy and JWT token compat mode
-// Returns a cleanup function that restores original settings
+// If auth is enabled, it enables S3 reverse proxy feature.
+// S3 JWT authentication (via X-Amz-Security-Token) will be checked as a fallback if no Authorization header is present.
 func setupS3Compat(t *testing.T) {
 	config, err := api.GetClusterConfig(tools.BaseAPIParams())
 	tassert.CheckFatal(t, err)
@@ -153,19 +152,16 @@ func setupS3Compat(t *testing.T) {
 		return
 	}
 
-	// Auth is enabled - ensure S3 JWT compat mode is enabled
+	// Auth is enabled - ensure S3 reverse proxy is enabled
 	originalFeatures := config.Features.String()
-	originalS3TokenCompat := strconv.FormatBool(config.Auth.AllowS3TokenCompat)
 
 	tools.SetClusterConfig(t, cos.StrKVs{
-		"features":                   feat.S3ReverseProxy.String(),
-		"auth.allow_s3_token_compat": "true",
+		"features": feat.S3ReverseProxy.String(),
 	})
 
 	t.Cleanup(func() {
 		tools.SetClusterConfig(t, cos.StrKVs{
-			"features":                   originalFeatures,
-			"auth.allow_s3_token_compat": originalS3TokenCompat,
+			"features": originalFeatures,
 		})
 	})
 }
@@ -712,13 +708,6 @@ func TestS3JWTAuth(t *testing.T) {
 	// Create test bucket
 	tools.CreateBucket(t, proxyURL, bck, nil, true /*cleanup*/)
 
-	// VERIFY: S3 JWT compat is enabled
-	updatedConfig, err := api.GetClusterConfig(authBP)
-	tassert.CheckFatal(t, err)
-	tassert.Fatalf(t, updatedConfig.Auth.AllowS3TokenCompat,
-		"S3 JWT compat mode should be enabled but got: %v", updatedConfig.Auth.AllowS3TokenCompat)
-	tlog.Logfln("✓ S3 JWT compatibility mode enabled")
-
 	// Get a valid JWT token from the authenticated BaseParams
 	testJWT := authBP.Token
 	tassert.Fatalf(t, testJWT != "", "Expected valid auth token from tools.BaseAPIParams()")
@@ -816,19 +805,9 @@ func TestS3JWTAuthFailures(t *testing.T) {
 		bck      = cmn.Bck{Name: "test-s3-jwt-fail-" + trand.String(6), Provider: apc.AIS}
 	)
 
-	// Get authenticated BaseParams
-	authBP := tools.BaseAPIParams()
-
 	// Create test bucket
 	tools.CreateBucket(t, proxyURL, bck, nil, true /*cleanup*/)
 
-	// VERIFY: S3 JWT compat is enabled
-	updatedConfig, err := api.GetClusterConfig(authBP)
-	tassert.CheckFatal(t, err)
-	tassert.Fatalf(t, updatedConfig.Auth.AllowS3TokenCompat,
-		"S3 JWT compat mode should be enabled but got: %v", updatedConfig.Auth.AllowS3TokenCompat)
-	tlog.Logfln("✓ S3 JWT compatibility mode enabled")
-
 	// Test 1: Request with NO credentials at all
 	tlog.Logln("Test 1: Request with NO credentials should fail...")
 	noCfg, err := config.LoadDefaultConfig(
@@ -914,77 +893,3 @@ func TestS3JWTAuthFailures(t *testing.T) {
 	tassert.Fatalf(t, err != nil, "Expected request with malformed JWT to fail, but it succeeded")
 	tlog.Logfln("✓ Malformed JWT signature failed as expected: %v", err)
 }
-
-// TestS3JWTAuthDisabledByDefault validates backward compatibility:
-// When auth is enabled but allow_s3_token_compat is false (default),
-// valid JWT tokens in X-Amz-Security-Token should be rejected
-func TestS3JWTAuthDisabledByDefault(t *testing.T) {
-	tools.CheckSkip(t, &tools.SkipTestArgs{RequiresAuth: true})
-
-	var (
-		proxyURL = tools.GetPrimaryURL()
-		bck      = cmn.Bck{Name: "test-s3-jwt-disabled-" + trand.String(6), Provider: apc.AIS}
-	)
-
-	// Get authenticated BaseParams
-	authBP := tools.BaseAPIParams()
-
-	// Get current config
-	clusterConfig, err := api.GetClusterConfig(authBP)
-	tassert.CheckFatal(t, err)
-	originalFeatures := clusterConfig.Features.String()
-	originalS3TokenCompat := strconv.FormatBool(clusterConfig.Auth.AllowS3TokenCompat)
-
-	// Create test bucket
-	tools.CreateBucket(t, proxyURL, bck, nil, true /*cleanup*/)
-
-	// Enable S3 reverse proxy but keep allow_s3_token_compat disabled (false)
-	tlog.Logln("Enabling S3 reverse proxy with JWT auth mode DISABLED...")
-	tools.SetClusterConfig(t, cos.StrKVs{
-		"features":                   feat.S3ReverseProxy.String(),
-		"auth.allow_s3_token_compat": "false",
-	})
-	t.Cleanup(func() {
-		// Restore original config values
-		tools.SetClusterConfig(t, cos.StrKVs{
-			"features":                   originalFeatures,
-			"auth.allow_s3_token_compat": originalS3TokenCompat,
-		})
-	})
-
-	// VERIFY: S3 JWT compat is disabled
-	updatedConfig, err := api.GetClusterConfig(authBP)
-	tassert.CheckFatal(t, err)
-	tassert.Fatalf(t, !updatedConfig.Auth.AllowS3TokenCompat,
-		"S3 JWT compat mode should be disabled but got: %v", updatedConfig.Auth.AllowS3TokenCompat)
-	tlog.Logfln("✓ S3 JWT compatibility mode is disabled (backward compatibility mode)")
-
-	// Get a valid JWT token
-	testJWT := authBP.Token
-	tassert.Fatalf(t, testJWT != "", "Expected valid auth token from tools.BaseAPIParams()")
-	tlog.Logfln("Attempting S3 request with valid JWT token (length: %d bytes)", len(testJWT))
-
-	// Create AWS SDK client with JWT as SessionToken
-	cfg, err := config.LoadDefaultConfig(
-		context.Background(),
-		config.WithCredentialsProvider(
-			credentials.NewStaticCredentialsProvider(
-				"dummy-access-key",
-				"dummy-secret-key",
-				testJWT, // Valid JWT in X-Amz-Security-Token header
-			),
-		),
-		config.WithRegion(env.AwsDefaultRegion()),
-	)
-	tassert.CheckFatal(t, err)
-
-	cfg.HTTPClient = newS3Client(false)
-	cfg.BaseEndpoint = aws.String(proxyURL + "/s3")
-	s3Client := s3.NewFromConfig(cfg)
-
-	// Attempt S3 request - should FAIL because allow_s3_token_compat is disabled
-	tlog.Logln("Testing that valid JWT is rejected when feature is disabled...")
-	_, err = s3Client.ListBuckets(context.Background(), &s3.ListBucketsInput{})
-	tassert.Fatalf(t, err != nil, "Expected request to fail when allow_s3_token_compat=false, but it succeeded")
-	tlog.Logfln("✓ Valid JWT was correctly rejected (backward compatibility preserved): %v", err)
-}

api/authn/config.go

@@ -38,12 +38,11 @@ type (
 		UseHTTPS    bool   `json:"use_https"`
 	}
 	ServerConf struct {
-		psecret            *string       `json:"-"`
-		pexpire            *cos.Duration `json:"-"`
-		Secret             string        `json:"secret"`
-		Expire             cos.Duration  `json:"expiration_time"`
-		PubKey             *string       `json:"public_key"`
-		AllowS3TokenCompat bool          `json:"allow_s3_token_compat"`
+		psecret *string       `json:"-"`
+		pexpire *cos.Duration `json:"-"`
+		Secret  string        `json:"secret"`
+		Expire  cos.Duration  `json:"expiration_time"`
+		PubKey  *string       `json:"public_key"`
 	}
 	TimeoutConf struct {
 		Default cos.Duration `json:"default_timeout"`

cmd/authn/hserv.go

@@ -299,15 +299,15 @@ func (h *hserv) httpUserGet(w http.ResponseWriter, r *http.Request) {
 }
 
 func getToken(r *http.Request) (*tok.AISClaims, error) {
-	tokenStr, err := tok.ExtractToken(r.Header, Conf.Server.AllowS3TokenCompat)
+	tokenHdr, err := tok.ExtractToken(r.Header)
 	if err != nil {
 		return nil, err
 	}
 	tkParser := tok.NewTokenParser(Conf.Secret(), nil, nil)
-	claims, err := tkParser.ValidateToken(tokenStr)
+	claims, err := tkParser.ValidateToken(tokenHdr.Token)
 	if err != nil {
 		if errors.Is(err, tok.ErrInvalidToken) {
-			return nil, fmt.Errorf("not authorized (token expired): %q", tokenStr)
+			return nil, fmt.Errorf("not authorized (token expired): %q", tokenHdr.Token)
 		}
 		return nil, err
 	}

cmd/authn/tok/token.go

@@ -45,6 +45,13 @@ type (
 		parseOpts []jwt.ParserOption
 	}
 
+	TokenHdr struct {
+		// Request header containing token string
+		Header string
+		// Raw token string from request
+		Token string
+	}
+
 	Parser interface {
 		// ValidateToken verifies JWT signature and extracts token claims.
 		ValidateToken(tokenStr string) (*AISClaims, error)
@@ -107,41 +114,36 @@ func AdminClaims(expires time.Time, userID, aud string) *AISClaims {
 
 // extractBearerToken extracts a bearer token from the Authorization header.
 // Header format: 'Authorization: Bearer <token>'
-func extractBearerToken(hdr http.Header) (string, error) {
+func extractBearerToken(hdr http.Header) (*TokenHdr, error) {
 	s := hdr.Get(apc.HdrAuthorization)
 	if s == "" {
-		return "", ErrNoToken
+		return nil, ErrNoToken
 	}
 	idx := strings.Index(s, " ")
 	if idx == -1 || s[:idx] != apc.AuthenticationTypeBearer {
-		return "", ErrNoBearerToken
+		return nil, ErrNoBearerToken
 	}
-	return s[idx+1:], nil
+	return &TokenHdr{Header: apc.HdrAuthorization, Token: s[idx+1:]}, nil
 }
 
 // ExtractToken extracts JWT token from either Authorization header (Bearer token)
-// or X-Amz-Security-Token header (AWS SDK compatibility mode).
-// This enables native AWS SDK clients to authenticate using JWT tokens passed via the
-// X-Amz-Security-Token header, bypassing SigV4 validation.
-//
-// Priority:
+// or X-Amz-Security-Token header with the following priority:
 //  1. Authorization: Bearer <token> (standard JWT auth)
-//  2. X-Amz-Security-Token: <token> (AWS SDK compatibility when s3CompatEnabled=true)
-func ExtractToken(hdr http.Header, s3CompatEnabled bool) (string, error) {
+//  2. X-Amz-Security-Token: enables native AWS SDK clients to authenticate using AIS-compatible JWT tokens passed when
+//     using SigV4 authentication.
+func ExtractToken(hdr http.Header) (*TokenHdr, error) {
 	// First, try standard Bearer token from Authorization header
-	s, err := extractBearerToken(hdr)
+	t, err := extractBearerToken(hdr)
 	if err == nil {
-		return s, nil
+		return t, nil
 	}
 
 	// Fallback to X-Amz-Security-Token for AWS SDK compatibility
-	if s3CompatEnabled {
-		s := hdr.Get(s3.HeaderSecurityToken)
-		if s != "" {
-			return s, nil
-		}
+	s := hdr.Get(s3.HeaderSecurityToken)
+	if s != "" {
+		return &TokenHdr{Header: s3.HeaderSecurityToken, Token: s}, nil
 	}
-	return "", ErrNoToken
+	return nil, ErrNoToken
 }
 
 /////////////////

cmd/authn/tok/token_test.go

@@ -145,13 +145,14 @@ func TestExtractToken(t *testing.T) {
 	// Test bearer token extraction (s3CompatEnabled=false)
 	hdr := http.Header{}
 	hdr.Set("Authorization", "Bearer sometoken")
-	token, err := tok.ExtractToken(hdr, false)
+	token, err := tok.ExtractToken(hdr)
 	tassert.Fatalf(t, err == nil, "ExtractToken failed: %v", err)
-	tassert.Errorf(t, token == "sometoken", "Expected 'sometoken', got %q", token)
+	tassert.Errorf(t, token.Token == "sometoken", "Expected 'sometoken', got %q", token.Token)
+	tassert.Errorf(t, token.Header == "Authorization", "Expected 'Authorization', got %q", token.Header)
 
 	// Test missing Bearer prefix
 	hdr.Set("Authorization", "sometoken")
-	_, err = tok.ExtractToken(hdr, false)
+	_, err = tok.ExtractToken(hdr)
 	tassert.Error(t, err != nil, "Expected failure due to missing 'Bearer' prefix")
 }
 
@@ -303,35 +304,29 @@ func TestExtractTokenS3Compat(t *testing.T) {
 	hdr.Set("X-Amz-Security-Token", testJWT)
 	hdr.Set("X-Amz-Date", "20130524T000000Z")
 
-	token, err := tok.ExtractToken(hdr, true)
+	token, err := tok.ExtractToken(hdr)
 	tassert.Fatalf(t, err == nil, "ExtractToken failed: %v", err)
-	tassert.Errorf(t, token == testJWT, "Expected JWT from X-Amz-Security-Token, got %q", token)
+	tassert.Errorf(t, token.Token == testJWT, "Expected test JWT, got %q", token.Token)
+	tassert.Errorf(t, token.Header == "X-Amz-Security-Token", "Expected JWT from X-Amz-Security-Token, got %q", token.Header)
 
 	// Test 2: Bearer token takes precedence
 	hdr.Set("Authorization", "Bearer priority-token")
-	token, err = tok.ExtractToken(hdr, true)
+	token, err = tok.ExtractToken(hdr)
 	tassert.Fatalf(t, err == nil, "ExtractToken failed: %v", err)
-	tassert.Errorf(t, token == "priority-token", "Expected Bearer token to take precedence, got %q", token)
+	tassert.Errorf(t, token.Token == "priority-token", "Expected Bearer token to take precedence, got %q", token)
 
 	// Test 3: X-Amz-Security-Token with non-JWT data extracts successfully
 	// (validation happens later in ValidateToken, not during extraction)
 	hdr = http.Header{}
 	hdr.Set("Authorization", "AWS4-HMAC-SHA256 Credential=...")
 	hdr.Set("X-Amz-Security-Token", "not-a-jwt-no-dots")
-	token, err = tok.ExtractToken(hdr, true)
+	token, err = tok.ExtractToken(hdr)
 	tassert.Fatalf(t, err == nil, "ExtractToken should succeed, got: %v", err)
-	tassert.Errorf(t, token == "not-a-jwt-no-dots", "Expected extracted token, got %q", token)
+	tassert.Errorf(t, token.Token == "not-a-jwt-no-dots", "Expected extracted token, got %q", token)
 
 	// Test 4: No token at all
 	hdr = http.Header{}
 	hdr.Set("Authorization", "AWS4-HMAC-SHA256 Credential=...")
-	_, err = tok.ExtractToken(hdr, true)
+	_, err = tok.ExtractToken(hdr)
 	tassert.Fatalf(t, errors.Is(err, tok.ErrNoToken), "Expected ErrNoToken, got: %v", err)
-
-	// Test 5: S3 compat disabled - should NOT check X-Amz-Security-Token
-	hdr = http.Header{}
-	hdr.Set("Authorization", "AWS4-HMAC-SHA256 Credential=...")
-	hdr.Set("X-Amz-Security-Token", testJWT)
-	_, err = tok.ExtractToken(hdr, false) // s3CompatEnabled=false
-	tassert.Fatalf(t, errors.Is(err, tok.ErrNoToken), "Expected ErrNoToken when S3 compat disabled, got: %v", err)
 }

cmn/config.go

@@ -641,18 +641,16 @@ type (
 	}
 
 	AuthConf struct {
-		Secret             string   `json:"secret"`
-		PubKey             string   `json:"public_key"`
-		Aud                []string `json:"aud"`
-		Enabled            bool     `json:"enabled"`
-		AllowS3TokenCompat bool     `json:"allow_s3_token_compat,omitempty"` // Allow X-Amz-Security-Token header to contain JWT instead of SigV4
+		Secret  string   `json:"secret"`
+		Enabled bool     `json:"enabled"`
+		PubKey  string   `json:"public_key"`
+		Aud     []string `json:"aud"`
 	}
 	AuthConfToSet struct {
-		Secret             *string  `json:"secret,omitempty"`
-		Enabled            *bool    `json:"enabled,omitempty"`
-		AllowS3TokenCompat *bool    `json:"allow_s3_token_compat,omitempty"`
-		PubKey             string   `json:"public_key,omitempty"`
-		Aud                []string `json:"aud,omitempty"`
+		Secret  *string  `json:"secret,omitempty"`
+		Enabled *bool    `json:"enabled,omitempty"`
+		PubKey  string   `json:"public_key,omitempty"`
+		Aud     []string `json:"aud,omitempty"`
 	}
 
 	// keepalive