Thanks to visit codestin.com
Credit goes to github.com

Skip to content

PPS-2007 PPS-2012 No token audience check #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
paulineribeyre merged 6 commits into from
Jul 25, 2025
Merged

PPS-2007 PPS-2012 No token audience check #87

paulineribeyre merged 6 commits into from
Jul 25, 2025

Conversation

@paulineribeyre
Copy link
Contributor

@paulineribeyre paulineribeyre commented Jul 11, 2025
edited
Loading

Link to JIRA ticket if there is one: https://ctds-planx.atlassian.net/browse/PPS-2007 and https://ctds-planx.atlassian.net/browse/PPS-2012

Closes #73 (temporary fix)

New Features

  • The audience aud field of JWT tokens is not validated anymore. The validation of which Gen3 instance a token is meant for is already done by using the issuer iss field to get public keys and verify the signature.

Breaking Changes

  • The audience aud field of JWT tokens is not validated anymore.

Bug Fixes

  • Fix "Authentication Error: Audience doesn't match" errors in Gen3 services (such as Sheepdog and Peregrine) running in a local Helm instance. The tokens' "audience" set by Fence (typically the BASE_URL setting "https://hostname/user") did not match the "audience" used by the services (typically the USER_API setting "http://fence-service").

Improvements

Dependency updates

Deployment changes

@github-actions
Copy link

github-actions bot commented Jul 11, 2025

The style in this PR agrees with black. ✔️

This formatting comment was generated automatically by a script in uc-cdis/wool.

@coveralls
Copy link

coveralls commented Jul 11, 2025
edited
Loading

Pull Request Test Coverage Report for Build 16530226153

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 23 unchanged lines in 2 files lost coverage.
  • Overall coverage increased (+0.2%) to 60.455%
Files with Coverage Reduction New Missed Lines %
authutils/token/core.py 10 81.36%
authutils/user.py 13 69.77%
Totals Coverage Status
Change from base Build 14274986787: 0.2%
Covered Lines: 292
Relevant Lines: 483
💛 - Coveralls

This was referenced Jul 11, 2025
Merged
Merged
@paulineribeyre paulineribeyre requested a review from Avantol13 July 11, 2025 21:44
jawadqur
jawadqur previously approved these changes Jul 11, 2025
View reviewed changes
k-burt-uch
k-burt-uch previously approved these changes Jul 18, 2025
View reviewed changes
Copy link
Contributor

@k-burt-uch k-burt-uch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor doc and comment clean up. Good to go on my end.

src/authutils/token/core.py
# was if fence generated it, so this provided no further protection beyond general JWT / public
# key verification and validation. The validation of which Gen3 instance the token is meant for
# is already done by using the issuer (`iss` field) to get public keys and verify the signature.
if aud is not None:
Copy link
Contributor

@k-burt-uch k-burt-uch Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove this comment:

https://github.com/uc-cdis/authutils/blob/master/src/authutils/token/core.py#L83

and

https://github.com/uc-cdis/authutils/blob/master/src/authutils/token/core.py#L95 update this

src/authutils/token/validate.py
issuers.append(value)

# Can't set arg default to config[x] in fn def, so doing it this way.
if aud is None:
Copy link
Contributor

@k-burt-uch k-burt-uch Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be updated: https://github.com/uc-cdis/authutils/blob/master/src/authutils/token/validate.py#L85 to avoid confusion on whether the aud is validated or not.

piotrsenkow
piotrsenkow approved these changes Jul 25, 2025
View reviewed changes
Copy link

@piotrsenkow piotrsenkow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code changes and testing function are very clear and make sense to me, I believe all the comments in the PR have been also addressed. Approving PR, great work.

@paulineribeyre paulineribeyre merged commit c7990f3 into master Jul 25, 2025
6 checks passed
@paulineribeyre paulineribeyre deleted the feat/no-aud-check branch July 25, 2025 21:10
@paulineribeyre paulineribeyre mentioned this pull request Aug 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@piotrsenkow piotrsenkow piotrsenkow approved these changes

@jawadqur jawadqur jawadqur left review comments

@k-burt-uch k-burt-uch k-burt-uch left review comments

@Avantol13 Avantol13 Awaiting requested review from Avantol13

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@paulineribeyre @coveralls @piotrsenkow @jawadqur @k-burt-uch @jacob50231