AWS KMS support for OAuth2 Client Credentials JWT authentication #5892
Comments
|
Extending |
|
Let me come up with some code & we can discuss more in detail. |
|
Can you take a look at commit: 876745e This is not tested code, this is how I am thinking of adding the id of the key in AMS |
|
Just glanced at the code, it looks fine. Thanks for looking into this. I did see we pull in new deps, can we do w/o it or do we need to pull all of them in? |
|
I am calling AWS KMS API to sign the digest. https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#KMS.Sign |
|
We have some AWS related code in here. The question is the code that you are pulling in self-contained enough that we don't need to import the entire library. |
|
Sorry for the late response, was busy last week. I will check this code and see if we can use this |
|
@ashutosh-narkar I have changed the implementation to use Signed AWS request instead of pulling in AWS go libraries: d5ed3fc I have done some basic testing, it works as expected. Pls give feedback |
|
This looks much better. Can you please open a draft PR so that we can give more feedback. Thanks for looking into this. |
|
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
|
Closed via #5942. |
What is the underlying problem you're trying to solve?
We would like to add support for AWS KMS keys to sign the client assertions used in OAuth2 Client Credentials JWT authentication. The current implementation signs the assertions using the
signing_key.private_keyvalue specified in the configuration. KMS keys or the private portion of an asymmetric KMS key cannot be exported in plain text from the HSMs. AWS KMS only allows to sign data using the signing API. The keyID, algorithm and the message(or digest) are the only parameters required for this API. This helps in improving the security of services using OPA.Describe the ideal solution
The
signing_keyconfiguration could support additional parameters for specifying keyId and cloud vendor. We can add support for signing using KMS inoauth2ClientCredentialsAuthPluginhere.This will require changes in the way plugin uses
jws.SignLiteralfor signing assertions.Describe a "Good Enough" solution
We could add new plugin like
oauth2ClientCredentialsAuthPluginwhich supports only AWS KMS.Additional Context
Generating base64 encoded signature
When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing algorithms, the signature value is a DER-encoded object as defined by ANS X9.62–2005 and RFC 3279 Section 2.2.3.
This is the most commonly used signature format and is appropriate for most uses. We need to perform the following steps to convert the DER-encoded object to a valid signature
r&svalues from the encoded structurerandsvaluesrandsvalues after adding necessary padding to signatureThe text was updated successfully, but these errors were encountered: