Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthnJWT: support claims with hyphens #2792

Merged
merged 3 commits into from
May 22, 2023
Merged

AuthnJWT: support claims with hyphens #2792

merged 3 commits into from
May 22, 2023

Conversation

john-odonnell
Copy link
Contributor

@john-odonnell john-odonnell commented May 3, 2023
edited
Loading

Desired Outcome

AuthnJWT uses the regex ^[a-zA-Z|$|_][a-zA-Z|$|_|0-9|.](\/[a-zA-Z|$|_][a-zA-Z|$|_|0-9|.])*$ to validate token claims, and therefore does not support claims including hyphens. An example of a claim that fails this validation is CircleCI's additional token claims: oidc.circleci.com/project-id et al.

AuthnJWT also currently does not support claims with inline namespaces (namespace.com/claim-key), instead digesting slash-delimited claims as nested. The CircleCI example above still applies.

Implemented Changes

  • Updated the regex to include hyphens as supported characters: ^[a-zA-Z|$|_][a-zA-Z|$|_|0-9|.](\/[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.])*$
  • Update claim parsing to attempt to use the raw claim before decomposing it and searching for a nested claim.
  • Update unit and integration tests for AuthnJWT input validation

Connected Issue/Story

ONYX-29842

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: [insert issue ID]
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

codeclimate[bot]
codeclimate bot reviewed May 3, 2023
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@john-odonnell john-odonnell marked this pull request as ready for review May 3, 2023 20:12
@john-odonnell john-odonnell requested a review from a team as a code owner May 3, 2023 20:12
@john-odonnell john-odonnell marked this pull request as draft May 3, 2023 20:53
@john-odonnell john-odonnell force-pushed the authn-jwt-hyphen-support branch 2 times, most recently from cb4f0c1 to b3b71a1 Compare May 4, 2023 19:15
@john-odonnell john-odonnell marked this pull request as ready for review May 4, 2023 19:16
gl-johnson
gl-johnson reviewed May 15, 2023
View reviewed changes
Copy link
Contributor

@gl-johnson gl-johnson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although looks like it needs a fresh rebase

gl-johnson
gl-johnson previously approved these changes May 15, 2023
View reviewed changes
codeclimate[bot]
codeclimate bot reviewed May 22, 2023
View reviewed changes
CHANGELOG.md
@@ -15,6 +15,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Update bundler to 2.2.33 to remove CVE-2021-43809
[cyberark/conjur#2804](https://github.com/cyberark/conjur/pull/2804/files)

### Fixed
- AuthnJWT now supports claims that include hyphens and inline namespaces.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lists should be surrounded by blank lines

@codeclimate
Copy link

codeclimate bot commented May 22, 2023

Code Climate has analyzed commit d055458 and detected 1 issue on this pull request.

Here's the issue category breakdown:

Category Count
Style 1

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 89.9% (-1.5% change).

View more on Code Climate.

@john-odonnell john-odonnell merged commit 849c7ad into master May 22, 2023
2 checks passed
@john-odonnell john-odonnell deleted the authn-jwt-hyphen-support branch May 22, 2023 19:13
john-odonnell added a commit that referenced this pull request May 25, 2023
@john-odonnell
Fix AuthnJWT test case ONYX-10960
69975aa 
Failure caused by regex update in #2792
@john-odonnell john-odonnell mentioned this pull request May 25, 2023
Merged
13 tasks
@gl-johnson gl-johnson mentioned this pull request Jun 28, 2023
Merged
jvanderhoof pushed a commit that referenced this pull request Jul 5, 2023
@john-odonnell @jvanderhoof
Fix AuthnJWT test case ONYX-10960
2ec58b6 
Failure caused by regex update in #2792
adamouamani pushed a commit that referenced this pull request Jul 7, 2023
@john-odonnell @adamouamani
Fix AuthnJWT test case ONYX-10960
7508037 
Failure caused by regex update in #2792
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeclimate codeclimate[bot] codeclimate left review comments

@gl-johnson gl-johnson gl-johnson approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@john-odonnell @gl-johnson