Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add audience claim check (#363) #397

Merged
merged 6 commits into from
Apr 6, 2024
Merged

Add audience claim check (#363) #397

merged 6 commits into from
Apr 6, 2024

Conversation

maia-iyer
Copy link
Collaborator

@maia-iyer maia-iyer commented Apr 4, 2024
edited
Loading

This PR adds a field in the UserManagement config for expected audience:

  # Configure Keycloak as external Authentication server
  UserManagement "KeycloakAuth" {
    plugin_data {
      # issuer - Issuer URL for OIDC
      issuer = "http://host.docker.internal:8080/realms/tornjak"

      # audience - expected value for aud claim in JWT
      # if not included or set, there will be no audience check
      # recommended to ensure JWT was meant for Tornjak Backend resource server
      audience = "tornjak-backend"
    }
  }

If omitted from the config, the server will log a warning and not run audience check at runtime.

closes #363

Also this attempts to clean up some IAM documentation

@maia-iyer
Add audience claim check
c286b4b 
Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
@maia-iyer maia-iyer added IAM backend Tornjak API (Backend) labels Apr 4, 2024
@maia-iyer maia-iyer added this to the 1.6.x milestone Apr 4, 2024
@maia-iyer maia-iyer self-assigned this Apr 4, 2024
@maia-iyer
Added documentation
cab54c9 
Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
@maia-iyer
Update keycloak example
2eb1c7c 
Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
@maia-iyer
Fixed documentation
3d99774 
Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
@maia-iyer
Updated documentation
e166b13 
Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
@maia-iyer
Removing duplicate documentation
a271efe 
Signed-off-by: Maia Iyer <maia.raj.iyer@gmail.com>
mrsabath
mrsabath approved these changes Apr 6, 2024
View reviewed changes
Copy link
Collaborator

@mrsabath mrsabath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a really good addition. Thank you @maia-iyer . I approve assuming it all works end-to-end.

api/agent/server.go
@@ -776,8 +776,13 @@ func NewAuth(authPlugin *ast.ObjectItem) (auth.Auth, error) {
return nil, errors.Errorf("Couldn't parse Auth config: %v", err)
}

// Log warning if audience is nil that aud claim is not checked
if config.Audience == "" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea to check and print the warning

@maia-iyer maia-iyer merged commit 88d6718 into v1.6 Apr 6, 2024
8 checks passed
@maia-iyer maia-iyer deleted the audience_check branch April 9, 2024 20:02
@maia-iyer maia-iyer mentioned this pull request Apr 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrsabath mrsabath mrsabath approved these changes

@lumjjb lumjjb Awaiting requested review from lumjjb lumjjb is a code owner

@mamy-CS mamy-CS Awaiting requested review from mamy-CS mamy-CS is a code owner

Assignees

@maia-iyer maia-iyer

Labels
backend Tornjak API (Backend) IAM
Projects
None yet
Milestone
1.6.x
Development

Successfully merging this pull request may close these issues.

Tornjak Backend Auth rework
2 participants
@maia-iyer @mrsabath