Add OIDC access token validation #107
Conversation
fredx30
changed the base branch from
master
to
feature/cors-credentials-allow-origin-specific
fredx30
requested review from
applejag and
Alexamakans
and removed request for
applejag
fredx30
force-pushed
the
feature/cors-credentials-allow-origin-specific
branch
2 times, most recently
from
ed95856
to
25e4e8b
Compare
fredx30
force-pushed
the
feature/add-oidc-token-checking
branch
from
f538bbf
to
14c4de2
Compare
There was a problem hiding this comment.
Logic looks good as far as I can tell 👍🏻
Eventually we will want to change the error handling in VerifyTokenMiddleware to use problem.Response I think, but for now I think this is good.
With some of the suggestions there will be other changes required (mainly *map -> map), but your IDE should tell you about those, and it should be fairly straightforward I think. Don't hesitate to ask if weird stuff happens 👍🏻
Suggest doing a replace all for OICD -> OIDC as well.
fredx30
force-pushed
the
feature/add-oidc-token-checking
branch
from
ea6be92
to
b0c5e6b
Compare
|
Regarding the pointers im moving the discussion to teams to try to move it quick will summarise here. |
fredx30
force-pushed
the
feature/add-oidc-token-checking
branch
from
b0c5e6b
to
32a9791
Compare
|
My apologies here after rebasing onto the latest changes i found the comments have been detached from the code references. I belive this is due to the change set of This formatting is applied here now aswell though! |
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
Co-authored-by: kalle (jag) <kalle.jillheden@iver.se>
fredx30
force-pushed
the
feature/add-oidc-token-checking
branch
from
4546dd9
to
768f39f
Compare
|
Now that #124 has been merged, if you merge/rebase from master then we can deploy this to our staging environment to try this out if you want. |
| } | ||
|
|
||
| // SubscribeToKeyURLUpdates ensures new keys are fetched as necessary. | ||
| // As a standard OIDC login provider keys should be checked for updates ever 1 day 1 hour. |
There was a problem hiding this comment.
| // As a standard OIDC login provider keys should be checked for updates ever 1 day 1 hour. | |
| // As a standard OIDC login provider keys should be checked for updates every 25 hours. |
There was a problem hiding this comment.
I think the connection is easier to make towards daily keyrotation if the text mentions day so i would skip this fix.
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
Co-authored-by: Alexamakans <79503481+Alexamakans@users.noreply.github.com>
CHANGELOG.mdfile, according to docs:https://iver-wharf.github.io/#/development/changelogs/writing-changelogs
Requires merge of
Summary
Added a slew of options for setting OIDC parameters for JWT token verification. Upon setting enable this will check will be enforced for requests sent to the api such that all requests not carrying a valid bearer token will fail.
Motivation
This works in coalition with the coresponding frontend implementation iver-wharf/wharf-web#70. Both PRs make up all the needed code to get basics for OIDC working.