-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flexible jwt authenticator #1295
Comments
@AndrewCopeland we have discussed this today in the design review of Azure authenticator: #1288 |
This example is azure specific but it can be applied to any JWT. What I am proposing is to parse the JWT using jsonPath and further parsing should be done with actions like |
Having a JWT authenticator would allow me to remove secret zero for many DevOps products that already have a certificate and private key. We could integrate with these products, generate a JWT (from the present private key) which can then be used to authenticate to conjur to then fetch secrets. This removes the need to pass around API keys to these devops tools. |
👍👍 |
@AndrewCopeland I do think JWT authn is the right way to go but I would dream of a way to "inherit" a basic jwt authn in a way that support authenticators that can be built on top of it that speak a native language of the target. for example |
Where would
Be applied? All of this information should be configured on the policy itself and not implement within ruby code. Thanks, |
As a conjur admin, I want a more flexible jwt authenticator, so that I can use any metadata within a JWT as a host identity.
SUMMARY:
The proposed azure authenticator flow does the following: Client sends JWT to conjur and conjur will then fetch and parse specific attributes from the JWT and then validate the parsed information with the hosts annotations.
This process seems like it could be made more generic to support not just azure JWT but any JWT.
Here is a sample policy I made. I am creating an
authn-jwt
authenticator that allows the ability to authenticate usingsubscription-id
,resource-group
andresource-name
. jsonPath is used to parse the attributes and then we can use regex to granularly obtain information within a json attribute.GIVEN the policy
WHEN
The
authn-jwt/azure-resource-name
is configured and enabledTHEN
The following JWT should successfully authenticate to conjur
I still think having default authenticators for each cloud provider such as
iam
,azure
andgcp
with jwt pre configured to the highest security standard is best. This solution would give us the ability to authenticate JWTs from any vendor.On the conjur core side I think creating a
jwt_validator
class would be beneficial. An example of implementation below:The text was updated successfully, but these errors were encountered: