-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OIDC access token validation #107
Conversation
ed95856
to
25e4e8b
Compare
f538bbf
to
14c4de2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Logic looks good as far as I can tell 👍🏻
Eventually we will want to change the error handling in VerifyTokenMiddleware
to use problem.Response
I think, but for now I think this is good.
With some of the suggestions there will be other changes required (mainly *map
-> map
), but your IDE should tell you about those, and it should be fairly straightforward I think. Don't hesitate to ask if weird stuff happens 👍🏻
Suggest doing a replace all for OICD
-> OIDC
as well.
ea6be92
to
b0c5e6b
Compare
Regarding the pointers im moving the discussion to teams to try to move it quick will summarise here. |
b0c5e6b
to
32a9791
Compare
My apologies here after rebasing onto the latest changes i found the comments have been detached from the code references. I belive this is due to the change set of This formatting is applied here now aswell though! |
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
Co-authored-by: kalle (jag) <kalle.jillheden@iver.se>
4546dd9
to
768f39f
Compare
Now that #124 has been merged, if you merge/rebase from master then we can deploy this to our staging environment to try this out if you want. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would like to see the changes implemented, but approving to speed up the process.
Nice work 👍🏻
} | ||
|
||
// SubscribeToKeyURLUpdates ensures new keys are fetched as necessary. | ||
// As a standard OIDC login provider keys should be checked for updates ever 1 day 1 hour. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// As a standard OIDC login provider keys should be checked for updates ever 1 day 1 hour. | |
// As a standard OIDC login provider keys should be checked for updates every 25 hours. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the connection is easier to make towards daily keyrotation if the text mentions day so i would skip this fix.
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
CHANGELOG.md
file, according to docs:https://iver-wharf.github.io/#/development/changelogs/writing-changelogs
Requires merge of
Summary
Added a slew of options for setting OIDC parameters for JWT token verification. Upon setting enable this will check will be enforced for requests sent to the api such that all requests not carrying a valid bearer token will fail.
Motivation
This works in coalition with the coresponding frontend implementation iver-wharf/wharf-web#70. Both PRs make up all the needed code to get basics for OIDC working.