-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bearer Token Authentication #38
Conversation
0039b6b
to
b7c0b79
Compare
daea2a4
to
fe1a99e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The implementation itself LGTM, I concur that the JWT library that we're using isn't affected by https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
2fff130
to
cbdef93
Compare
bd9147b
to
c1a2a7a
Compare
c1a2a7a
to
81578f9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the current test strategy in order to verify the new auth stack? The PR doesn't seem to ship testing for JWT or I missed it
81578f9
to
5f6fbf9
Compare
Thank you for the feedback. I've extended the existing Auth-tests to also test for Bearer-Token based Auth. The coverage of the auth process should thereby be pretty solid. |
Summary
This PR implements JWT Bearer token authentication alongside Basic auth.
It's implemented as middleware and adds information to the Request's Context:
authentication-method
is eitherBearer
orBasic
bearer-token
allows access to the jwt.Claims instance ifauthentication-method=Bearer
user
allows access to the user's name ifauthentication-method=Basic
The endpoints
/healthz
and/metrics
(new) don't require authentication.Every other endpoint does and if no valid credentials or tokens are provided, then an HTTP 403 error is returned.
I've added the promtheus library for metrics collection to the project. Besides the metrics it collects automatically I've created the following two manual metrics:
osb_total_broker_api_requests_total
:The total number of processed service broker api requests, not including healthz and metrics requests.
osb_failed_authentication_attempts_total
:The total number of failed authentication attempts.
I've manually reviewed the library I used whether https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ would be a problem. I conclude it's not a problem: (1) The
none
algorithm results in an error. (2) The secrets are always associated to a specific algorithm. It's therefore not possible to use a public key as signature for an HMAC.TODO
and extendE2E TestsChecklist
bug
,enhancement
,documentation
,change
,breaking
,as they show up in the changelog