Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: custom claims for setting grpc/server addr in token #150

Merged
merged 1 commit into from
Feb 5, 2024
Merged

feat: custom claims for setting grpc/server addr in token #150

merged 1 commit into from
Feb 5, 2024

Conversation

abelanger5
Copy link
Contributor

Description

Removes the requirement of setting HATCHET_CLIENT_HOST_PORT as an environment variable in all of the SDKs. This instead adds custom claims of server_url and grpc_broadcast_address which are used for connections.

Security implications of this approach were considered - one could consider a MITM attack which rewrites the claims to trick the user into sending their token to their server. Our SDKs require TLS to minimize the risk, and if an attacker has constructed a MITM attack during token generation time, they would likely be able to modify the payload which shows the broadcast address to the user anyway. This is also fairly standard practice, i.e. GCP credentials files have a set of auth URIs set:

"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs"

Type of change

Please delete options that are not relevant.

  • New feature (non-breaking change which adds functionality)

What's Changed

This is backwards-compatible with older tokens.

  • SDKs config loaders for all 3 SDKs
  • New claims in tokens
  • Docs updates to remove requirement of HATCHET_CLIENT_HOST_PORT

@vercel Vercel
Copy link

vercel bot commented Feb 5, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
hatchet ✅ Ready (Inspect) Visit Preview Feb 5, 2024 4:27am

@abelanger5 abelanger5 merged commit 73adb77 into main Feb 5, 2024
17 checks passed
@abelanger5 abelanger5 deleted the belanger/custom-claims branch February 5, 2024 05:18
grutt
grutt reviewed Feb 5, 2024
View reviewed changes
internal/config/server/server.go
@@ -49,6 +49,9 @@ type ConfigFileRuntime struct {
// GRPCBindAddress is the address that the grpc server binds to. Should set to 0.0.0.0 if binding in docker container.
GRPCBindAddress string `mapstructure:"grpcBindAddress" json:"grpcBindAddress,omitempty" default:"127.0.0.1"`

// GRPCBroadcastAddress is the address that the grpc server broadcasts to, which is what clients should use when connecting.
GRPCBroadcastAddress string `mapstructure:"grpcBroadcastAddress" json:"grpcBroadcastAddress,omitempty" default:"127.0.0.1:7070"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to set this on the go-quickstart docker-compose?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grutt grutt grutt left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abelanger5 @grutt