Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account Policy to Restrict Bearer Token Users #3084

Closed
tbeets opened this issue Apr 28, 2022 · 0 comments · Fixed by #3091 or #3127
Closed

Account Policy to Restrict Bearer Token Users #3084

tbeets opened this issue Apr 28, 2022 · 0 comments · Fixed by #3091 or #3127
Assignees
@matthiashanel

Comments

@tbeets
Copy link
Contributor

tbeets commented Apr 28, 2022

Feature Request

In operator-mode configurations (JWT-based), an account owner can create bearer token User JWTs using the --bearer option of nsc or the the JWT client libraries.

Some operators may desire to create accounts that explicitly restrict the account owner from creating users with the bearer-token option.

Use Case:

Force client to present User JWT and perform a challenge-and-response authentication, i.e. sign nonce using possessed private NKEY.

Proposed Change:

Add an account-level claim that asserts that the account may not issue bearer User JWTs.

Who Benefits From The Change(s)?

Organizations/operators that have a policy against bearer token usage at runtime, but otherwise enable account owners to manage their own user lifecycle.

Alternative Approaches
matthiashanel added a commit to nats-io/jwt that referenced this issue Apr 29, 2022
@matthiashanel
[add] DisallowBearerToken option to operator to disallow bearer = true
9f4f1d5 
change 1 out of 3 for nats-io/nats-server#3084
@matthiashanel matthiashanel mentioned this issue Apr 29, 2022
Merged
matthiashanel added a commit to nats-io/nsc that referenced this issue Apr 29, 2022
@matthiashanel
[added] support for operator option DisallowBearerToken
8aa7515 
change 2 out of 3 for nats-io/nats-server#3084
corresponds to nats-io/jwt#177

also fixed minor staticcheck issues

Signed-off-by: Matthias Hanel <mh@synadia.com>
@matthiashanel matthiashanel mentioned this issue Apr 29, 2022
Merged
matthiashanel added a commit that referenced this issue Apr 29, 2022
@matthiashanel
[added] support for jwt operator option DisallowBearerToken
33d41ef 
change 3 out of 3 for #3084
corresponds to:
nats-io/jwt#177
nats-io/nsc#495

Signed-off-by: Matthias Hanel <mh@synadia.com>
matthiashanel added a commit to nats-io/nsc that referenced this issue Apr 29, 2022
@matthiashanel
[added] support for operator option DisallowBearerToken
d0c753f 
change 2 out of 3 for nats-io/nats-server#3084
corresponds to nats-io/jwt#177

also fixed minor staticcheck issues

Signed-off-by: Matthias Hanel <mh@synadia.com>
@matthiashanel matthiashanel mentioned this issue Apr 29, 2022
Merged
matthiashanel added a commit that referenced this issue Apr 29, 2022
@matthiashanel
[added] support for jwt operator option DisallowBearerToken
bd28831 
I modified an existing data structure that held a similar attribute already.
Instead this data structure references the claim.

change 3 out of 3. Fixes #3084
corresponds to:
nats-io/jwt#177
nats-io/nsc#495

Signed-off-by: Matthias Hanel <mh@synadia.com>
matthiashanel added a commit to nats-io/nsc that referenced this issue May 9, 2022
@matthiashanel
[added] support for operator option DisallowBearerToken (#495)
e70a462 
* [added] support for account option DisallowBearerToken

change 2 out of 3 for nats-io/nats-server#3084
corresponds to nats-io/jwt#177

also fixed minor staticcheck issues
also removed unused ha_assets

Signed-off-by: Matthias Hanel <mh@synadia.com>
matthiashanel added a commit that referenced this issue May 16, 2022
@matthiashanel
[added] support for jwt account option DisallowBearer
66a29ab 
change 3 out of 3. Fixes #3084
corresponds to:
nats-io/jwt#177
nats-io/nsc#495

Signed-off-by: Matthias Hanel <mh@synadia.com>
@matthiashanel matthiashanel mentioned this issue May 16, 2022
Merged
matthiashanel added a commit that referenced this issue Jun 13, 2022
@matthiashanel
[added] support for jwt account option DisallowBearer
d460ee3 
change 3 out of 3. Fixes #3084
corresponds to:
nats-io/jwt#177
nats-io/nsc#495

Signed-off-by: Matthias Hanel <mh@synadia.com>
matthiashanel added a commit that referenced this issue Jun 28, 2022
@matthiashanel
[added] support for jwt account option DisallowBearer
c75d3c1 
change 3 out of 3. Fixes #3084
corresponds to:
nats-io/jwt#177
nats-io/nsc#495

Signed-off-by: Matthias Hanel <mh@synadia.com>
matthiashanel added a commit that referenced this issue Jun 29, 2022
@matthiashanel
[added] support for jwt account option DisallowBearer (#3127)
6e52608 
* [added] support for jwt account option DisallowBearer

change 3 out of 3. Fixes #3084
corresponds to:
nats-io/jwt#177
nats-io/nsc#495

update jwt library to 2.3.0

Signed-off-by: Matthias Hanel <mh@synadia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthiashanel matthiashanel

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@bruth @tbeets @matthiashanel