Skip to content

reset timestamps claims to integer when composer plugins are invoked for compatibility with AWS #5115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
azdagron merged 1 commit into from
May 1, 2024
Merged

reset timestamps claims to integer when composer plugins are invoked for compatibility with AWS #5115

azdagron merged 1 commit into from
May 1, 2024

Conversation

@naroraindeed
Copy link
Contributor

@naroraindeed naroraindeed commented Apr 30, 2024

Using credentialcomposer plugins forces Claims to be translated as protobuf structs which serializes integers as floats (#4982). AWS rejects validating JWT issued by SPIRE with timestamps that are in scientific notation. AWS STS only accepts integer timestamps as valid. We've discussed this with AWS, and while they agree it's an issue in AWS STS, there's no recourse available with them. This fix helps reset value type for timestamps and also includes unit tests that proves the problem and the limited scope of the fix. This is the minimal change needed for SPIRE to produce verifiable JWT for AWS when using credentialcomposer plugin.

Signed-off-by: narora@indeed.com

Pull Request check list

  • [Y] Commit conforms to CONTRIBUTING.md?
  • [Y] Proper tests/regressions included?
  • [N] Documentation updated?

Affected functionality
BuildWorkloadJWTSVIDClaims resets data type for certain claims.

Description of change
Minimal change needed for SPIRE to produce verifiable JWT for AWS when using credentialcomposer plugin.

Which issue this PR fixes
fixes #4982

@naroraindeed
reset timestamps to integer when composer plugins are invoked for com…
72b48f0 
…patiblity with AWS

Using credentialcomposer plugins forces Claims to be translated as protobuf structs which serializes integers as floats (spiffe#4982). AWS rejects validating JWT issued by SPIRE with timestamps that are in scientific notation. AWS STS only accepts integer timestamps as valid. We've discussed this with AWS, and while they agree it's an issue in AWS STS, there's no recourse available with them. This fix helps reset value type for timestamps and also includes unit tests that make the problem obvious. This is the minimal change needed for SPIRE to produce verifiable JWT for AWS when using credentialcomposer plugin.

Signed-off-by: Nikhil Arora <narora@indeed.com>
@naroraindeed
Copy link
Contributor Author

naroraindeed commented May 1, 2024

fixed lint and DCO workflow failures. Need help to retrigger workflows.

azdagron
azdagron approved these changes May 1, 2024
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this quick fix @naroraindeed. This will be great for the upcoming 1.9.5 release. I think for 1.10.0 we'll do something a little more broadly scoped and this PR lays out some important groundwork. I really appreciate the contribution.

@azdagron azdagron added this to the 1.9.5 milestone May 1, 2024
@azdagron azdagron merged commit 9deb317 into spiffe:main May 1, 2024
@naroraindeed
Copy link
Contributor Author

naroraindeed commented May 1, 2024

Thank you so much @azdagron . I completely agree, this is a tactical fix to make AWS happy. This doesn't fix the generic problem of representing Claims in a way that preserves the integer value type in composer plugins. That's a good next step.
You've reduced the burden on our end to maintain a separate fork for core SPIRE. 👍🏾

@liwadman
Copy link

liwadman commented May 2, 2024

@azdagron A review of many common JWT validation libraries seemed to indicate that by type validation alone, timestamps as floats/scientific notation wouldn't be supported. I will say I that I didn't test all these with code, but rather the their code for validating IAT/NBF/EXP claims. Thus it would seem there is extremely mixed support in the JWT ecosystem for non-integer timestamp values, and in time likely it would surface more than just AWS STS would be impacted by this issue.

Libraries I Checked:
Nimbus - java (floats not supported by type validation)
Jose - typescript (floats allowed by type validation)
PyJWT - python(floats not supported by type validation)
Python-jose - python(floats not supported by type validation)
Golang-jwt - go (floats allowed by type validation)
g-jose - go (floats not supported by type validation)
java-jwt - java(floats not supported by type validation)
node-jose javascript(floats allowed by type validation)

@amartinezfayo amartinezfayo modified the milestones: 1.9.5, 1.9.6 May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azdagron azdagron azdagron approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.9.6

Development

Successfully merging this pull request may close these issues.

4 participants

@naroraindeed @liwadman @azdagron @amartinezfayo