Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO; single api server, multiple client applications #19

Closed
jeffreylo opened this issue Feb 2, 2022 · 3 comments
Closed

SSO; single api server, multiple client applications #19

jeffreylo opened this issue Feb 2, 2022 · 3 comments

Comments

@jeffreylo
Copy link
Contributor

Support for one-of might be an interesting path forward but I'm also curious whether keratin/authn-go#15 also solves your issue?

One advantage to SubjectFromWithAudience is that it doesn't need to be pre-configured with a finite set of audiences at startup.

I'll close this issue on authn-server as it appears to be related to authn-go. Let's continue over there if you think there's more to discover.

Continuing the discussion from keratin/authn-server#193, client JWTs seem to only have a single entry in their aud field, i.e., the requesting domain. This means that SubjectFromWithAudience is still insufficient.

For example, given these identity tokens:

{
  "aud": [
    "client1.example.com"
  ],
  "auth_time": 1643740180,
  "exp": 1643743780,
  "iat": 1643740180,
  "iss": "https://auth.example.com",
  "sub": "1"
}
{
  "aud": [
    "client2.example.com"
  ],
  "auth_time": 1643740180,
  "exp": 1643743780,
  "iat": 1643740180,
  "iss": "https://auth.example.com",
  "sub": "1"
}

There seems to be no clear way to configure the authn-go client’s Audience or leverage SubjectFromWithAudience to pass validation. A jwt.Audience{} in SubjectFromWithAudience would work, but obviously drops audience verification, which seems important.

The proposal for oneOf in #14 seems to best fit this use case, but I’m not sure if there’s a way to accomplish this with the resultant SubjectFromWithAudience shipped in #15.

Does this make sense?
@cainlevy
Copy link
Member

cainlevy commented Feb 2, 2022

I'm missing something here. Is the problem that your backend is unable to determine if the request is coming from client1.example.com or client2.example.com?

@jeffreylo
Copy link
Contributor Author

I'm missing something here. Is the problem that your backend is unable to determine if the request is coming from client1.example.com or client2.example.com?

More or less, but this seems like an issue unrelated to authn-go’s scope.

For now, I’ve configured an allowlist of known audiences and it works as expected.

Closing as there’s no clear action or next discussion.

@cainlevy
Copy link
Member

cainlevy commented Feb 4, 2022

Allowing all of your potential domains sounds right to me.

You might also be able to rely on the Origin header to reflect the domain of your request, assuming they're all cross origin requests. That's how AuthN sorts out which audience to give an identity token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cainlevy @jeffreylo