Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-23.1.17-rc: release-23.1: CRDB-28040 : JWKS fetch from jwks_uri #120063

Merged
merged 1 commit into from Mar 7, 2024
Merged

release-23.1.17-rc: release-23.1: CRDB-28040 : JWKS fetch from jwks_uri #120063

merged 1 commit into from Mar 7, 2024

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Mar 7, 2024
edited by BabuSrithar

Backport 1/1 commits from #117054.

/cc @cockroachdb/release

Fixes CRDB-28040 ( JWKS fetch from jwks_uri )
This commit adds capability to fetch remote JWKS from issuer's jwks_uri endpoint. This will satisfy the requirement to have an ability to automatically fetch the new JWK when the existing JWK is rotated - without human intervention or custom scripts.

Changes include

  1. The existing order of token signature verification first and rest of claims next is modified to get issuer first and then the token signature verification. This change is requied to determine the issuer for which the jwks has to be fetched remotely.

  2. Introduction of a new cluster setting called server.jwt_authentication.jwks_auto_fetch.enabled

  3. Depending on the value of server.jwt_authentication.jwks_auto_fetch.enabled use JWKS configured through cluster setting or remotely fetch JWKS from jwks_uri of the issuer

  4. Modification to exiting test cases to match the new order of verification steps.

The change is backward compatible and not changes required in existing deployments and JWT Auth usage.

Release justification: high-priority need for functionality in 23.1

@BabuSrithar
CRDB-28040 : JWKS fetch from jwks_uri
61776d5 
This commit adds capability to fetch remote JWKS from issuer's jwks_uri endpoint. This will satisfy the requirement to have an ability to automatically fetch the new JWK when the existing JWK is rotated - without human intervention or custom scripts.

Changes include

1. The existing order of token signature verification first and rest of claims next is modified to get issuer first and then the token signature verification. This change is requied to determine the issuer for which the jwks has to be fetched remotely.

2. Introduction of a new cluster setting called `server.jwt_authentication.jwks_auto_fetch.enabled`

3. Depending on the value of `server.jwt_authentication.jwks_auto_fetch.enabled` use JWKS configured through cluster setting or remotely fetch JWKS from jwks_uri of the issuer

4. Modification to exiting test cases to match the new order of verification steps.

The change is backward compatible and no changes required in existing deployments and JWT Auth usage.
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.1.17-rc-119969 branch from 68b7e64 to 61776d5 Compare March 7, 2024 17:21
@blathers-crl blathers-crl bot requested review from a team as code owners March 7, 2024 17:21
@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels Mar 7, 2024
@blathers-crl blathers[crl]
Copy link
Author

blathers-crl bot commented Mar 7, 2024
edited by BabuSrithar

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL and one additional
    TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Mar 7, 2024
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@BabuSrithar BabuSrithar assigned BabuSrithar and unassigned dhartunian Mar 7, 2024
@dhartunian dhartunian merged commit cc68ca8 into release-23.1.17-rc Mar 7, 2024
6 checks passed
@dhartunian dhartunian deleted the blathers/backport-release-23.1.17-rc-119969 branch March 7, 2024 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhartunian dhartunian dhartunian approved these changes

@rafiss rafiss rafiss approved these changes

Assignees

@BabuSrithar BabuSrithar

Labels
backport Label PR's that are backports to older release branches blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cockroach-teamcity @dhartunian @rafiss @BabuSrithar