Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authentication using a JSON web token (JWT) #93 #100

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support authentication using a JSON web token (JWT) #93 #100

wants to merge 2 commits into from

Conversation

stoggi
Copy link

@stoggi stoggi commented Aug 7, 2019

This PR enables support for authentication with OpenIDConnect by verifying a JWT #93

A third party library (https://github.com/mpdavis/python-jose) is introduced to verify a JSON Web Token (JWT), and parse a JSON Web Key (JWK). This library was chosen because it is well maintained, a compatible license, features on jwt.io, is light weight, and can support JWKs.

  • Created new configuration section for JWT Auth
    • Configure a JWK to verify a JWT signature
    • Configure requried signature algorithms
    • Configure required audience and issuer claims
    • Configure name of username claim
  • Added code block in lambda_handler_user to validate JWT if configured
    • Require remote_usernames == bastion_user
    • Require valid JWT signature, expiry, and signature algorithm
    • Require username_claim in JWT
    • Require username_claim == bastion_user
  • Added unit tests for config and JWT validation

@stoggi
Support authentication using a JSON web token (JWT) Netflix#93
cce9d5c 
* Created new configuration section for JWT Auth
 - Configure a JWK to verify a JWT signature
 - Configure requried signature algorithms
 - Configure required audience and issuer claims
 - Configure name of username claim
* Added code block in lambda_handler_user to validate JWT if configured
 - Require remote_usernames == bastion_user
 - Require valid JWT signature, expiry, and signature algorithm
 - Require username_claim in JWT
 - Require username_claim == bastion_user
* Added unit tests for config and JWT validation
@stoggi stoggi mentioned this pull request Aug 7, 2019
Open
@coveralls
Copy link

coveralls commented Aug 7, 2019
edited

Coverage Status

Coverage increased (+0.2%) to 94.943% when pulling 24af4b4 on stoggi:jwtauth into 80f3c1b on Netflix:master.

@stoggi
Fix marshmellow verison, and prevent jose from verifying access token…
24af4b4 
… hash

* Pin marshmellow to a version less than 3. This might be fixed in Netflix#99
* Disable at_hash verification if present in the JWT, since the bless lambda doesn't have access to the a hash of the access token.
@stoggi
Copy link
Author

stoggi commented Nov 4, 2019

@russell-lewis am I able to get a hand reviewing this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stoggi @coveralls