IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

ext_jwt: streamline expected aud in access tokens and id tokens (#87401)

Browse Source
This commit is contained in:
Charandas 2024-05-07 11:20:16 -07:00 committed by GitHub
parent 6c47968f6c
commit a9da6ce1d5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 16 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/services/authn/clients/ext_jwt.go
View File

@ -21,25 +21,22 @@ import (
var _ authn.Client = new(ExtendedJWT) var _ authn.Client = new(ExtendedJWT)
const ( const (
rfc9068ShortMediaType = "at+jwt"
extJWTAuthenticationHeaderName = "X-Access-Token" extJWTAuthenticationHeaderName = "X-Access-Token"
extJWTAuthorizationHeaderName = "X-Grafana-Id" extJWTAuthorizationHeaderName = "X-Grafana-Id"
extJWTAccessTokenExpectAudience = "grafana"
) )
func ProvideExtendedJWT(userService user.Service, cfg *setting.Cfg, func ProvideExtendedJWT(userService user.Service, cfg *setting.Cfg,
signingKeys signingkeys.Service) *ExtendedJWT { signingKeys signingkeys.Service) *ExtendedJWT {
verifier := authlib.NewAccessTokenVerifier(authlib.VerifierConfig{ verifier := authlib.NewAccessTokenVerifier(authlib.VerifierConfig{
SigningKeysURL: cfg.ExtJWTAuth.JWKSUrl, SigningKeysURL: cfg.ExtJWTAuth.JWKSUrl,
AllowedAudiences: []string{ AllowedAudiences: []string{extJWTAccessTokenExpectAudience},
cfg.ExtJWTAuth.ExpectAudience,
},
}) })
// For ID tokens, we explicitly do not validate audience, hence an empty AllowedAudiences
// Namespace claim will be checked
idTokenVerifier := authlib.NewIDTokenVerifier(authlib.VerifierConfig{ idTokenVerifier := authlib.NewIDTokenVerifier(authlib.VerifierConfig{
SigningKeysURL: cfg.ExtJWTAuth.JWKSUrl, SigningKeysURL: cfg.ExtJWTAuth.JWKSUrl,
AllowedAudiences: []string{
cfg.ExtJWTAuth.ExpectAudience,
},
}) })
return &ExtendedJWT{ return &ExtendedJWT{

9
pkg/services/authn/clients/ext_jwt_test.go
View File

@ -38,7 +38,7 @@ var (
Claims: &jwt.Claims{ Claims: &jwt.Claims{
Issuer: "http://localhost:3000", Issuer: "http://localhost:3000",
Subject: "access-policy:this-uid", Subject: "access-policy:this-uid",
Audience: jwt.Audience{"http://localhost:3000"}, Audience: jwt.Audience{extJWTAccessTokenExpectAudience},
ID: "1234567890", ID: "1234567890",
Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)), Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)), IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@ -54,7 +54,7 @@ var (
Claims: &jwt.Claims{ Claims: &jwt.Claims{
Issuer: "http://localhost:3000", Issuer: "http://localhost:3000",
Subject: "user:2", Subject: "user:2",
Audience: jwt.Audience{"http://localhost:3000"}, Audience: jwt.Audience{"stack:1"},
ID: "1234567890", ID: "1234567890",
Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)), Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)), IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@ -68,7 +68,7 @@ var (
Claims: &jwt.Claims{ Claims: &jwt.Claims{
Issuer: "http://localhost:3000", Issuer: "http://localhost:3000",
Subject: "access-policy:this-uid", Subject: "access-policy:this-uid",
Audience: jwt.Audience{"http://localhost:3000"}, Audience: jwt.Audience{extJWTAccessTokenExpectAudience},
ID: "1234567890", ID: "1234567890",
Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)), Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)), IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@ -81,7 +81,7 @@ var (
Claims: &jwt.Claims{ Claims: &jwt.Claims{
Issuer: "http://localhost:3000", Issuer: "http://localhost:3000",
Subject: "user:2", Subject: "user:2",
Audience: jwt.Audience{"http://localhost:3000"}, Audience: jwt.Audience{"stack:1234"},
ID: "1234567890", ID: "1234567890",
Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)), Expiry: jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)), IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@ -532,7 +532,6 @@ func setupTestCtx(cfg *setting.Cfg) *testEnv {
ExtJWTAuth: setting.ExtJWTSettings{ ExtJWTAuth: setting.ExtJWTSettings{
Enabled: true, Enabled: true,
ExpectIssuer: "http://localhost:3000", ExpectIssuer: "http://localhost:3000",
ExpectAudience: "http://localhost:3000",
}, },
} }
} }

2
pkg/setting/setting_jwt.go
View File

@ -28,7 +28,6 @@ type AuthJWTSettings struct {
type ExtJWTSettings struct { type ExtJWTSettings struct {
Enabled bool Enabled bool
ExpectIssuer string ExpectIssuer string
ExpectAudience string
JWKSUrl string JWKSUrl string
} }
@ -36,7 +35,6 @@ func (cfg *Cfg) readAuthExtJWTSettings() {
authExtendedJWT := cfg.SectionWithEnvOverrides("auth.extended_jwt") authExtendedJWT := cfg.SectionWithEnvOverrides("auth.extended_jwt")
jwtSettings := ExtJWTSettings{} jwtSettings := ExtJWTSettings{}
jwtSettings.Enabled = authExtendedJWT.Key("enabled").MustBool(false) jwtSettings.Enabled = authExtendedJWT.Key("enabled").MustBool(false)
jwtSettings.ExpectAudience = authExtendedJWT.Key("expect_audience").MustString("")
jwtSettings.JWKSUrl = authExtendedJWT.Key("jwks_url").MustString("") jwtSettings.JWKSUrl = authExtendedJWT.Key("jwks_url").MustString("")
cfg.ExtJWTAuth = jwtSettings cfg.ExtJWTAuth = jwtSettings
} }