Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for JWT tokens #10

Merged
merged 7 commits into from
Oct 12, 2017
Merged

Add support for JWT tokens #10

merged 7 commits into from
Oct 12, 2017

Conversation

dividedmind
Copy link
Contributor

See cyberark/slosilo#10 for details. Note this changeset includes #9.

@dividedmind
Remove Conjur::Rack::User#new_association
2718cad 
It's not clear what was the intent behind this method, but there is
no documentation and no usage as far as I can tell.
@dividedmind
Some spec refactoring
762abc4 
Split Authenticator and .user spec, make -fdoc more readable.
@dividedmind
Use real Slosilo in specs
8e319f6 
While this might move the tests a bit on the unit-integration
spectrum, it does make them more realistic and easier to implement.

Specific things can still be mocked and stubbed as needed for
test granularity.
@dividedmind
Correctly handle JWT tokens
f2d7cbd 
Please refer to cyberark/slosilo#10
for details.
@dividedmind
Add changelog entry
244f412
@dividedmind dividedmind mentioned this pull request Sep 4, 2017
Closed
apotterri
apotterri approved these changes Sep 8, 2017
View reviewed changes
Copy link
Contributor

@apotterri apotterri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@dividedmind
Reject tokens with unrecognized claims
c029b3e 
JWT lacks a mechanism for specifying critical claims as JWS has
with header 'crit' field; JWT spec suggests to ignore unrecognized
claims and that is what a generic JWT library should do.

However, conjur-rack is a specific application; for security reasons
it's best to reject tokens which we don't totally understand, lest the
requester is allowed to do what she is not in fact authorized to.

If need be, this can be extended in the future with 'crit'-like
mechanism for specifying optional claims.

Related: cyberark/slosilo#12
@dividedmind
Copy link
Contributor Author

Can be merged in after cyberark/slosilo#11 is. Note Gemfile should be edited to remove the slosilo branch indication.

@dividedmind dividedmind mentioned this pull request Sep 19, 2017
Merged
@jvanderhoof jvanderhoof merged commit 79a334f into master Oct 12, 2017
@jvanderhoof jvanderhoof deleted the feature/jwt branch October 12, 2017 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apotterri apotterri apotterri approved these changes

@kgilpin kgilpin Awaiting requested review from kgilpin

@dustinmm80 dustinmm80 Awaiting requested review from dustinmm80

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dividedmind @apotterri @jvanderhoof