Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oauth info for each namespace #354

Merged
merged 36 commits into from Jul 12, 2019

Conversation

Projects
None yet
4 participants
@dstiliadis
Copy link
Member

commented Jun 28, 2019

Defines the APIs for providing OAUTH related information for each namespace.

Documenting here the proposed API:

A user must enable JWT signing certificates in their namespace (or one of the parent namespaces). This is achieved by adding the following attributes in the namespace object
JWTCertificateEnable (bool)
JWTCertificates map[string]string where the index is the serial number of the certificate.
We always pick the most specific certificate with the latest expiration date to sign.
A a new API enables enforcers or users to retrieve tokens. /issueservicetoken
The API allows two types: PU token in which case the user must also provide a PU ID and must have
read privileges in the corresponding namespace. The claims of the token are derived by combining the DATA section of the caller and the PU claims that are recovered from the corresponding tokenscopepolicies.

UserToken in which case, there is no PU ID, and the claims of the issued token are equal to the user tokens.

A new internal /oauthinfo API that is un-authenticated and it will return the OAUTH info for a given namespace.

A new internal /issueservicetoken API that allows barret to issue JWT tokens.

Enhancements in /trustedcas and /tokenscopepolicies APIs to make the whole thing work.

All private certificates are held by barret.

Detailed explanation of all functionality can be found here: aporeto-inc/aporeto#1525 (comment)

@dstiliadis dstiliadis requested a review from primalmotion Jun 28, 2019


- name: modulo
description: |-
Modulo is the modulo value of an RSA public key. Valid only when the signing

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jun 28, 2019

Member

Are modulo,x,y standard in jwks?

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jun 28, 2019

Member

Also use. Omitempty: true for modulo,x,y

This comment has been minimized.

Copy link
@dstiliadis

dstiliadis Jun 28, 2019

Author Member

yes .. all the names are standard from jwks .. trying to make it one-to-one mapping

This comment has been minimized.

Copy link
@dstiliadis

dstiliadis Jun 28, 2019

Author Member

btw, I thought omit empty is always there by default ....

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jun 28, 2019

Member

Nope. Thanks to apotests

@primalmotion
Copy link
Member

left a comment

We need a new api to issue user jwt.


- name: modulo
description: |-
Modulo is the modulo value of an RSA public key. Valid only when the signing

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jun 28, 2019

Member

Also use. Omitempty: true for modulo,x,y

@dstiliadis

This comment has been minimized.

Copy link
Member Author

commented Jun 28, 2019

yes .. I thought so .. I will define a new api (issuejwt) ..

@primalmotion

This comment has been minimized.

Copy link
Member

commented Jun 28, 2019

Lets call the new api /workloadtoken or something like that. The name should reflect the fact that it has nothing to do with aporeto auth

@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "f0c27f2e49f53d15ed79ac06d3215403e62aa8f2"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "f2a980737dda13336fa48cd8649da70758cf513d"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "6b27d018f3a0bc8c4600b8092b8a28c0869e00f8"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 2, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "41ef94358a2a2b3a4ad6458d8a9ccce5845db579"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "e3deddc16b66e254e5ed2b23c808da5778507666"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "0ed64d4dff93dd98786586621f53f10b6a789168"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 2, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "41ef94358a2a2b3a4ad6458d8a9ccce5845db579"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "c6a96f921a20d54e104639c77ff1f2dad725df2c"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "0ed64d4dff93dd98786586621f53f10b6a789168"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 4, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "41ef94358a2a2b3a4ad6458d8a9ccce5845db579"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "c6a96f921a20d54e104639c77ff1f2dad725df2c"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "a3006d67751b86c288a690a3eb4d56d70640c3c7"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 4, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "5a8281ba8c5c08b5f23d33aada389f2eeb7f1ead"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "a3006d67751b86c288a690a3eb4d56d70640c3c7"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "41ef94358a2a2b3a4ad6458d8a9ccce5845db579"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 4, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "0f41d57d61e88f08ab886d7be01141f932ea6131"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "94f0cb7a640c0a3ef422228050318282a027195d"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "41ef94358a2a2b3a4ad6458d8a9ccce5845db579"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 4, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "e11e098eb4b8e89f29db035b058a6eebc853250a"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "0f41d57d61e88f08ab886d7be01141f932ea6131"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "94a512c922646450fc12424f8c911f5e7b8e0e59"
  }
]

@dstiliadis dstiliadis requested a review from primalmotion Jul 4, 2019

@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 5, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "a51fb2db9391e851822f2daad48a5db6e6232909"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "e11e098eb4b8e89f29db035b058a6eebc853250a"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "3b1ae696c39e777466ff6d8627fc93e15718a3bc"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  }
]
AllowedChoices: []string{"ECDSA", "RSA"},
ConvertedName: "Algorithm",
DefaultValue: AuthorityAlgorithmECDSA,
Description: `Algorithm defines the the signing algorithm to be used.`,

This comment has been minimized.

Copy link
@mheese

mheese Jul 5, 2019

typo: remove one of the the

dstiliadis added some commits Jul 9, 2019

@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d200b9f74ee24be95dd714caf32e06ba37fe599e"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "35df5e6e2801cfa0c05226d1bc5a94788df654a2"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "4e2baae797502489a7f87c2081cbe94ebbf394e2"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "4e2baae797502489a7f87c2081cbe94ebbf394e2"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d200b9f74ee24be95dd714caf32e06ba37fe599e"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "aa53068a2ef888e9d296a957e7b9249049dca1a9"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 9, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d200b9f74ee24be95dd714caf32e06ba37fe599e"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "a77a9e511a4eb6f8bc5ca350feba8eb26d23cbce"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2b53cfe4d060c6389b688abf7372f16794ff48d1"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "4e2baae797502489a7f87c2081cbe94ebbf394e2"
  }
]
rest_name: jwks
resource_name: jwks
entity_name: JWKS
package: squall

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jul 9, 2019

Member

this is handled by cactuar no?

This comment has been minimized.

Copy link
@dstiliadis

dstiliadis Jul 11, 2019

Author Member

yes..

@@ -0,0 +1,103 @@
# Model
model:
rest_name: jwks

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jul 9, 2019

Member

rest name should be jwk

This comment has been minimized.

Copy link
@dstiliadis

dstiliadis Jul 11, 2019

Author Member

it stands for JWT Keys .. it's kind of unnatural to change the name .. it is supposed to be jwks since it matches the jwks_uri

model:
rest_name: jwks
resource_name: jwks
entity_name: JWKS

This comment has been minimized.

Copy link
@primalmotion

primalmotion Jul 9, 2019

Member

entity name should be JWK

@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "a44a0357260213d0717816cffeb50e86d05245d2"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2ee08ed1050d6ebfd07806d595fe2e2cc2a1899f"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "40ed76cafab24e0c5c57ea7c9ea9c7d4728c9f6a"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d200b9f74ee24be95dd714caf32e06ba37fe599e"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d200b9f74ee24be95dd714caf32e06ba37fe599e"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "a44a0357260213d0717816cffeb50e86d05245d2"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2ee08ed1050d6ebfd07806d595fe2e2cc2a1899f"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "ee1e16e1471122e56e7488b54827b699612eee1c"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "2ee08ed1050d6ebfd07806d595fe2e2cc2a1899f"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "ee1e16e1471122e56e7488b54827b699612eee1c"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d64fa124a84af9abff85bcc394b3d92d56b399ac"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "a44a0357260213d0717816cffeb50e86d05245d2"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "3476a381a1fd71e9942ccf115c7735fa8d648ab7"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "ee1e16e1471122e56e7488b54827b699612eee1c"
  },
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d64fa124a84af9abff85bcc394b3d92d56b399ac"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "a44a0357260213d0717816cffeb50e86d05245d2"
  }
]
@aporeto-dimitri

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "oauth",
    "component": "underwater",
    "pr-id": "67",
    "commit-sha": "d64fa124a84af9abff85bcc394b3d92d56b399ac"
  },
  {
    "project": "oauth",
    "component": "gaia",
    "pr-id": "354",
    "commit-sha": "a44a0357260213d0717816cffeb50e86d05245d2"
  },
  {
    "project": "oauth",
    "component": "tg",
    "pr-id": "16",
    "commit-sha": "3476a381a1fd71e9942ccf115c7735fa8d648ab7"
  },
  {
    "project": "oauth",
    "component": "backend",
    "pr-id": "448",
    "commit-sha": "ee1e16e1471122e56e7488b54827b699612eee1c"
  }
]

@dstiliadis dstiliadis merged commit 37b8b3b into master Jul 12, 2019

4 checks passed

built
Details
functional-tests Submitter: reason: . functional-tests set to success
Details
functional-tests-trigger Submitter: reason: . functional-tests-trigger set to success
Details
unit-tests
Details

@dstiliadis dstiliadis deleted the oauth branch Jul 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.