Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement Delegated Authentication Service #4270

Merged
merged 14 commits into from
Jun 17, 2024

Conversation

paullatzelsperger
Copy link
Member

@paullatzelsperger paullatzelsperger commented Jun 13, 2024

What this PR changes/adds

Implements the DelegatedAuthenticationService that takes a bearer token and validates it against a public key resolved from a JWKS url.

Why it does that

Delegating auth and related tasks (rotation, revocation,...) away from the connector

Further notes

  • Currently, only JWKS are supported (no PEM endpoints). let's see how far we get. We can always add that functionality to the JwksPublicKeyResolver
  • NotBeforeValidationRule and ExpirationIssuedAtValidationRule have received an optional allowNull argument, because nbf and exp are not mandatory claims in general (they might be in certain OAuth2 flows)
  • the TokenBasedAuthenticationService is only registered, if no other service is registered for the "management-api" context. That way, it yields the way to other implementations.

Linked Issue(s)

Closes #4261

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added enhancement New feature or request api Feature related to the (REST) api labels Jun 13, 2024
Copy link

github-actions bot commented Jun 13, 2024

Test Results

   856 files  + 3     856 suites  +3   20m 4s ⏱️ -18s
13 669 tests +24  13 666 ✅ +24  3 💤 ±0  0 ❌ ±0 
14 020 runs  +24  14 017 ✅ +24  3 💤 ±0  0 ❌ ±0 

Results for commit d17abb5. ± Comparison against base commit bacdf5a.

This pull request removes 158 and adds 182 tests. Note that renamed tests count towards both.
org.eclipse.edc.connector.controlplane.callback.staticendpoint.CallbackStaticEndpointExtensionTest ‑ [1] {edc.cb.callback.events=test, edc.callback.cb.transactional=false}
org.eclipse.edc.connector.controlplane.callback.staticendpoint.CallbackStaticEndpointExtensionTest ‑ [2] {edc.callback.cb.transactional=false, edc.callback.cb.uri=url}
org.eclipse.edc.connector.controlplane.callback.staticendpoint.CallbackStaticEndpointExtensionTest ‑ [3] {edc.callback.cb.uri=url, edc.callback.cb.auth-key=test, edc.callback.cb.events=test, edc.callback.cb.transactional=false}
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [10] ACCEPTING, TERMINATED, java.util.concurrent.CompletableFuture@485c84d7[Completed normally], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$641/0x00007f4678359020@1224e1b6
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [11] VERIFYING, TERMINATED, java.util.concurrent.CompletableFuture@aa0dbca[Completed normally], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$642/0x00007f4678359280@794cb26b
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [12] TERMINATING, TERMINATED, java.util.concurrent.CompletableFuture@401ec794[Completed normally], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$643/0x00007f46783594e0@d76099a
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [1] REQUESTING, REQUESTING, java.util.concurrent.CompletableFuture@3e2d8623[Completed exceptionally: org.eclipse.edc.spi.EdcException: error], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$632/0x00007f4678351c38@72715e61
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [2] ACCEPTING, ACCEPTING, java.util.concurrent.CompletableFuture@3d8d52be[Completed exceptionally: org.eclipse.edc.spi.EdcException: error], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$633/0x00007f4678350800@645ba24a
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [3] VERIFYING, VERIFYING, java.util.concurrent.CompletableFuture@5cbe95b1[Completed exceptionally: org.eclipse.edc.spi.EdcException: error], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$634/0x00007f4678350a60@28fa541
org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest ‑ [4] TERMINATING, TERMINATING, java.util.concurrent.CompletableFuture@2c2a903f[Completed exceptionally: org.eclipse.edc.spi.EdcException: error], org.eclipse.edc.connector.controlplane.contract.negotiation.ConsumerContractNegotiationManagerImplTest$DispatchFailureArguments$$Lambda$635/0x00007f4678350cc0@7d537616
…
org.eclipse.edc.api.auth.ApiAuthenticationRegistryImplTest ‑ hasService()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationExtensionTest ‑ initialize(DelegatedAuthenticationExtension, ServiceExtensionContext)
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationExtensionTest ‑ initialize_noUrlGiven_shouldNotRegister(DelegatedAuthenticationExtension, ServiceExtensionContext)
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_emptyHeaders()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_multipleAuthHeaders_shouldReject()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_noAuthHeader()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_noHeaders()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_notBearer()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_valid()
org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationServiceTest ‑ isAuthenticated_withXapiKey()
…

♻️ This comment has been updated with latest results.

@paullatzelsperger paullatzelsperger marked this pull request as ready for review June 14, 2024 07:11
@paullatzelsperger
Copy link
Member Author

paullatzelsperger commented Jun 14, 2024

FYI @lgblaumeiser. can't request your review, but feel free to take a look.

@paullatzelsperger paullatzelsperger force-pushed the feat/4261_delegating_auth_service branch from 1daa3e4 to 59154db Compare June 14, 2024 07:16
@paullatzelsperger paullatzelsperger force-pushed the feat/4261_delegating_auth_service branch from 2050258 to 8f86c3b Compare June 17, 2024 07:07
@paullatzelsperger paullatzelsperger merged commit 4441956 into main Jun 17, 2024
27 checks passed
@paullatzelsperger paullatzelsperger deleted the feat/4261_delegating_auth_service branch June 17, 2024 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api Feature related to the (REST) api enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Management API: add delegating authentication service
3 participants