Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Vault 33101 - Optionally ignore trailing slash in bound audience #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jaireddjawed wants to merge 11 commits into from
Closed

Vault 33101 - Optionally ignore trailing slash in bound audience #159

jaireddjawed wants to merge 11 commits into from

Conversation

@jaireddjawed
Copy link
Collaborator

@jaireddjawed jaireddjawed commented Mar 20, 2025
edited
Loading

Description

When logging into vault, each boubd audience is compared against aud claims to verify a match to determine whether the user can authenticate. This PR adds the option to normalize bound audiences (i.e. compare the bound audience to the aud claims without a trailing slash if it exists).

This change is needed because when some customers have reported browser inconsistency when providing their bound audiences (some browsers produce a URL with a slash, and other produce a URL without a slash). This affects their ability to authenticate.

Example

If normalization of bound audiences is enabled the bound audience foo.com\ will match against the aud claim foo.com. However, when normalization is not enabled, it will not match against it.

Implications

The impact of this change to users of cap is minimal. Bound audiences are not normalized by default. Enabling normalization involves enabling the option WithNormalizedAudiences when calling Validate. Unit tests were updated to verify that this is the case.

Changes in this PR include

  • adding options to the jwt package and added WithNormalizedAudiences to normalize bound audiences when enabled
  • unit tests to verify that the original behavior remains when WithNormalizedAudiences is not enabled and to verify that normalization is working correctly when the feature is enabled.
  • the optional parameter opts to Validate, validateAll, and validateAudiences

@jaireddjawed jaireddjawed self-assigned this Mar 20, 2025
@jaireddjawed jaireddjawed reopened this Mar 20, 2025
@jaireddjawed jaireddjawed reopened this Apr 22, 2025
@jaireddjawed jaireddjawed marked this pull request as ready for review April 22, 2025 17:26
@jaireddjawed jaireddjawed requested a review from a team as a code owner April 22, 2025 17:26
jimlambrt
jimlambrt reviewed Apr 22, 2025
View reviewed changes
Copy link
Collaborator

@jimlambrt jimlambrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the PR description to something that doesn't describe the change related to a specific vault plugin?

Basically, you should give some background information related to audiences (and likely the issuer as well - see below) and this change is being proposed and the implications of making the change. This should include references to the appropriate internet RFCs about this very topic and in particular URI comparisons. This will allow the PR reviewer, future maintainers, and pkg consumers to understand why this change was made and the implications to every pkg consumer. There were several slack threads that might help inform this more complete description.

jimlambrt
jimlambrt reviewed Apr 22, 2025
View reviewed changes
Copy link
Collaborator

@jimlambrt jimlambrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use the existing options pattern that's used throughout pkgs in the repo?

jimlambrt
jimlambrt requested changes Apr 22, 2025
View reviewed changes
Copy link
Collaborator

@jimlambrt jimlambrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add the appropriate unit tests to this PR which cover all proposed changes?

@jaireddjawed
Copy link
Collaborator Author

jaireddjawed commented Apr 22, 2025

Basically, you should give some background information related to audiences (and likely the issuer as well - see below) and this change is being proposed and the implications of making the change. This should include references to the appropriate internet RFCs about this very topic and in particular URI comparisons. This will allow the PR reviewer, future maintainers, and pkg consumers to understand why this change was made and the implications to every pkg consumer. There were several slack threads that might help inform this more complete description.

Sorry about that. Was in the middle of updating the description when you were reviewing.

@jaireddjawed jaireddjawed changed the title Vault 33101 ignore trailing slash Vault 33101 - Optionally ignore trailing slash in bound audience Apr 22, 2025
jimlambrt
jimlambrt requested changes Apr 22, 2025
View reviewed changes
Copy link
Collaborator

@jimlambrt jimlambrt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make all the changes requested before asking for re-review. BTW, you also need a changelog entry.

Also the updated description doesn't quite meet the change I was requesting.

@jaireddjawed
Copy link
Collaborator Author

jaireddjawed commented Apr 23, 2025

Can you add the appropriate unit tests to this PR which cover all proposed changes?

Unit tests were already added.

@jaireddjawed jaireddjawed requested a review from jimlambrt April 23, 2025 07:26
@jaireddjawed
Copy link
Collaborator Author

jaireddjawed commented Apr 23, 2025
edited
Loading

Can you update the PR description to something that doesn't describe the change related to a specific vault plugin?

This should include references to the appropriate internet RFCs about this very topic and in particular URI comparisons.

I don't believe that there was an RFC doc for this change, but I did update the description again to satisfy the rest of your requirements to the best of my ability.

@jaireddjawed jaireddjawed marked this pull request as draft April 23, 2025 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvoran tvoran Awaiting requested review from tvoran

@jimlambrt jimlambrt Awaiting requested review from jimlambrt

Assignees

@jaireddjawed jaireddjawed

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jaireddjawed @jimlambrt