- 
                Notifications
    You must be signed in to change notification settings 
- Fork 2.7k
fix: Add the token's rootcert public key to the list of known keys #4471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Add the token's rootcert public key to the list of known keys #4471
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! FWIW, we actually want to avoid any of the libtrust cruft seeping back to this codebase, unless the code references some standard/specification.
I need to have a proper look at this. Trusted keys should be read from jwks', keyed by their KeyID assuming your jwks files have been correctly generated I'm a bit puzzled why this breaks 🤔
| 
 That part works, in our setup we did not have the  
 I've seen that the ruby implementation of JWT uses just the plain SHA256 hexdigest as  | 
| c5c0e46f is an to add unit tests to the changes. I felt it was reaching a bit too much but gave it a try nevertheless. Let me know if it's too bad and I'll drop that commit. Addenda: forgot the sign-off. | 
af62d0b    to
    147347f      
    Compare
  
    | Took the liberty to implement the JWT hashing mechanism that RFC7638 defines to use it as KeyID instead of the old  It should satisfy: 
 or at least get closer 😅 | 
| 
 this is what puzzles me...as I said there was a regression that should have been fixed by #4415 which should have made the cert validation kick in before the KeyID check kicks in 🤔 this is what I'm trying to understand - why is this still broken | 
| Maybe is worth noticing that our token server does not include the  | 
| 
 Hah! Yeah, that'll do it... | 
| 
 😅 I knew I missed something | 
| That should also probably be added to the docs though 🤔 | 
| Should I write something up in this PR? Or a new one? | 
| I think it can go into this PR, but mind you I haven't had time to look at this PR yet | 
| Ok, let's do two PR's to keep it lightly then. I'll wait for your feedback on this one :) | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this approach and I think it could work in distribution.
Couple of things:
- some stylistic changes needed as per the comments
- we need to update the docs mentioning how the JWK thumbprint is calculated
But I think if we iron this out, this would be good to be merged in.
Thoughts @Jamstah @thaJeztah ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, doesn't degrade anything, and seems to be a sensibly defined spec for making a kid from a JWK.
I'm still not 100% on the need - if the token server is providing JWTs with a kid, then it should also be providing a JWKS url that can be used to lookup the keys. My read of the RFC is that its defining a sensible and secure approach for people writing token servers to generate kid values.
I'm happy with the implementation (other than the comments already raised by Milos!). Requesting changes as I would like to have the documentation alongside the code change.
| 
 Does distribution supports this discovery mechanism? I could swear only the JSON file path is allowed 🤔 | 
| 
 Correct, it doesn't. It would be nice though, because we could technically then implement key rotation, alas... | 
| With regards to documenting: in  
 What do y'all think? And in  Stating that the "Signing Key verification" happens first and it goes a little something like: 
 Maybe a mermaid flow diagram could illustrate better the logic? | 
| 
 I think that'd make sense, yeah. 
 This sounds good. Not sure I'd take it as far as using Mermaid, but if you do I think you'd have to add some deps into package.json in docs and make sure it renders properly. | 
| 
 How about ASCII art? (Anything just not to deal with package.json "fun") | 
0254957    to
    6a58b70      
    Compare
  
    | 
 Yeah, ASCII diagram would work. I think we have some already scattered around the docs. | 
| Small question, in jwt.md this sentence does not match the implementation in  
 
 Additionally, RFC7515 Section 4.1.9 defines  It does mention  OOOOR, on the other hand, maybe is mean to be  https://github.com/go-jose/go-jose/blob/v4.0.4/jwt/jwt.go#L189 p.s.: looks like I didn't need ASCII art after all 😅 | 
| 
 I think so, that's an interesting catch 
 Not sure about that... | 
| aha! found the reference https://datatracker.ietf.org/doc/html/rfc7519#section-5.1  | 
| There's one piece I don't know well where to put, the Certificate Thumbprint as the Default KeyID of the Certificate configured in  There are no references of that key in the JWT/Token docs, but it is referenced in  Any suggestions where that piece would be better written? 🤔 | 
| I would put it into the configuration page and cross-reference it in the token auth 🤷♂️ | 
9d66c6e    to
    b41534d      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
| @josegomezr can you please squash and sign your commit? | 
- Add Unit tests for `token.newAccessController`
  + Implemented swappable implementations for `token.getRootCerts` and
    `getJwks` to unit test their behavior over the accessController
    struct.
- Use RFC7638 [0] mechanics to compute the KeyID of the rootcertbundle
  provided in the token auth config.
- Extends token authentication docs:
  + Extend `jwt.md` write up on JWT headers & JWT Validation
  + Updated old reference to a draft that's now RFC7515.
  + Extended the JWT validation steps with the JWT Header validation.
  + Reference `jwt.md` in `token.md`
[0]: https://datatracker.ietf.org/doc/html/rfc7638#autoid-13
Signed-off-by: Jose D. Gomez R <[email protected]>
    b41534d    to
    b53946d      
    Compare
  
    | A pleasure to contribute :) until the next  | 
Addresses: #4470