Skip to content
This repository has been archived by the owner on Apr 2, 2019. It is now read-only.

Verify JWT and use subject #21

Merged
merged 9 commits into from
Oct 5, 2017
Merged

Verify JWT and use subject #21

merged 9 commits into from
Oct 5, 2017

Conversation

leplatrem
Copy link
Collaborator

@leplatrem leplatrem commented Oct 2, 2017

# policies.yaml 
-
  id: "1"
  description: This policy allows Google users to do everything
  subjects:
    - google-oauth2|<.*>
  actions:
    - <.*>
  resources:
    - <.*>
  effect: allow

Then I query /allowed with a JWT token, the token is verified, and the subject is used to match policies.

I pass the Auth0-Domain and Auth0-Audience in the headers, to be able to validate tokens from different services.

$ echo {} | http POST :8080/allowed "Auth0-Domain:minimal-demo-iam" "Auth0-Audience:http://minimal-demo-iam.localhost:8000" "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5EZzFOemczTlRFeVEwVTFNMEZCTnpCQlFqa3hOVVk1UTBVMU9USXpOalEzUXpVek5UWkRNQSJ9.eyJpc3MiOiJodHRwczovL21pbmltYWwtZGVtby1pYW0uYXV0aDAuY29tLyIsInN1YiI6Imdvb2dsZS1vYXV0aDJ8MTA0MTAyMzA2MTExMzUwNTc2NjI4IiwiYXVkIjpbImh0dHA6Ly9taW5pbWFsLWRlbW8taWFtLmxvY2FsaG9zdDo4MDAwIiwiaHR0cHM6Ly9taW5pbWFsLWRlbW8taWFtLmF1dGgwLmNvbS91c2VyaW5mbyJdLCJpYXQiOjE1MDY5NTkxOTgsImV4cCI6MTUwNjk2NjM5OCwiYXpwIjoiV1lSWXBKeVM1RG5EeXhMVFJWR0NRR0NXR28yS05RTE4iLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIn0.ifelc8pX6JQipcarBE1b9mSjfn5H-DhDZ2uT5a_0Z14-brSsIOS2f74_RQXy8n5RNh_JbpQ8qPYHIyAVRHbEPT1yNzvPM9VMF6roW9hMpinE1oSd2D3IMc9kEp03J0Rw2yz3u5R1tLrMwVATpqSFtrFGclmnEYT8__zg2XQL3VLv5mvt-9YC-FOVeq8tCSGTeP9CrXp4AoQMOEJ-1RfSdMiy8tcg_PK6Xsrj86dxDRBDoSeTFO99UUA3yyrc0tFFwIvjvDv-Y0l7FpVnplpi_QkhCmYOMAjORgT0NlEtR2fJq2RZMqJcVCLVlfidAxEOu1Vkx4dcwLnqnk2HcEGb6Q" 
HTTP/1.1 200 OK
Content-Length: 16
Content-Type: application/json; charset=utf-8
Date: Mon, 02 Oct 2017 16:58:41 GMT

{
    "allowed": true
}

I takes around ~200ms, but I guess JWKClient could be cached by domain... Later the authorization could be in charge of fetching LDAP userid and groups to match the policies (instead of just of the JWT subject)

@Natim @mozbhearsum @mostlygeek @peterbe Any thought about this POC?
Thanks a lot!

@leplatrem leplatrem changed the title Verify JWT and use subject [WIP] Verify JWT and use subject Oct 2, 2017
@bhearsum
Copy link

bhearsum commented Oct 3, 2017

It looks like this app as a whole is just a very, very thin wrapper around Warden? I guess I'm not sure what exactly you're looking for review on.

@mostlygeek
Copy link

mostlygeek commented Oct 3, 2017

The JWT's headers/payload (for reference)

Header:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "NDg1Nzg3NTEyQ0U1M0FBNzBBQjkxNUY5Q0U1OTIzNjQ3QzUzNTZDMA"
}

Payload:

{
  "iss": "https://minimal-demo-iam.auth0.com/",
  "sub": "google-oauth2|104102306111350576628",
  "aud": [
    "http://minimal-demo-iam.localhost:8000",
    "https://minimal-demo-iam.auth0.com/userinfo"
  ],
  "iat": 1506959198,
  "exp": 1506966398,
  "azp": "WYRYpJyS5DnDyxLTRVGCQGCWGo2KNQLN",
  "scope": "openid profile"
}

I don't like using custom headers to identify the issuer. Instead look for and use the issuer claim (iss) in the payload. If it doesn't exist, the token fails verification.

If the signature algorithm is asymmetric (e.g RS256) ... we should fetch / cache the public key to prevent more look ups. If the signature algorithm is symmetric, we need to save the password somewhere. I think FxA might use symmetric keys... will need to check .

@mostlygeek
Copy link

also committing ./vendor in a PR makes it really hard to review ...
don't really have any good suggestions other than merging in after a PR.

@Natim
Copy link
Contributor

Natim commented Oct 4, 2017

Is it possible to consider not vendoring libs? Btw @mostlygeek if you look at only the first commit, you don't have the vendor files.

@Natim
Copy link
Contributor

Natim commented Oct 4, 2017

It looks like this app as a whole is just a very, very thin wrapper around Warden?

@mozbhearsum just to make sure we are talking about the same thing, the content of the warden folder in this PR is the code of the project @leplatrem wrote, not sure if you were refering to the ory/warden project here.

warden/jwt.go Outdated
)

func verifyJWT(request *http.Request) (*jwt.Claims, error) {
domain := request.Header.Get("Auth0-Domain")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be part of the config of the instance? Probably read from the ENV variables?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe for this one indeed, but not for the audience right? (each Relying Party like Balrog have their own audience, unless I'm mistaken...)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes then would we be able to grab it from the referer?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The caller (Relying Party, like balrog) is not a browser, so it has to send it explicitly

warden/jwt.go Outdated
}

jwksURI := fmt.Sprintf("https://%s.auth0.com/.well-known/jwks.json", domain)
apiIssuer := fmt.Sprintf("https://%s.auth0.com/", domain)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this should be specific to auth0 but most likely specific to OpenID Connect IDP, we should probably also use the config to store the domain including auth0.com

@@ -11,6 +11,7 @@ import (
"github.com/ory/ladon"
manager "github.com/ory/ladon/manager/memory"
log "github.com/sirupsen/logrus"
jwt "gopkg.in/square/go-jose.v2/jwt"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@leplatrem
Copy link
Collaborator Author

Is it possible to consider not vendoring libs?

I guess that since we use glide, there should be something possible...

@leplatrem
Copy link
Collaborator Author

This branch was demoed. No one seemed to react with a funny face, so I'll add some tests and merge :)

@leplatrem leplatrem changed the title [WIP] Verify JWT and use subject Verify JWT and use subject Oct 5, 2017
@leplatrem leplatrem merged commit b06e3ff into master Oct 5, 2017
@leplatrem leplatrem deleted the verify-jwt branch October 5, 2017 14:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants