-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expect keyid/scope as part of the token in Bundle signing #4462
Comments
I'm not sure this would classify as a bug. We're not claiming to be standards-compliant, I believe -- is there some standard that makes you expect those infos in the token? |
💡 So our docs mention those fields, https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-format ...but it's unclear to me (at least) where anything but scope could come from 🤔 |
Reading the docs again, I believe those fields do not matter at all: https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-verification
☝️ That means it's not part of the signature payload, it's just in the ordinary JWT header.
@deepapt What is your use case? What do you need these headers for? Anyways, I've tried singing a bundle and the header I get is
so that doesn't explain where iat/iss/id could come from... |
Thanks for reporting this @deepapt 👍 Looks like a mixed bag of issues, really..
Might have missed something, but that's at least a starting point :) |
OPA build has this: But |
The link shows the additional keys so that they are able to understand the context as well. https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-verification In the example the provided keyid for bundle signing. That keyid is getting extracted from the signature. services:
bundles: Signature: { After Decode: { |
Just to clarify about {
"scope": "read"
} With the above the JWT payload will have keys |
If you need a single command to build and sign your bundle, |
We should clarify the points raised in this comment and make it part of the docs for the feature. I'll work on getting those in. |
FYI docs updated with more info about signing in this PR. |
Closing as doc fixes got merged. |
I used the below command to generate the signature.json for bundle signing.
After Decoding the signature JWT, it looks like this:
I expect iat/iss/keyid/scope as part of token.
The text was updated successfully, but these errors were encountered: