Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Api protection JWt token introspection enhancement #410

Closed
pujavs opened this issue Feb 17, 2021 · 4 comments
Closed

Api protection JWt token introspection enhancement #410

pujavs opened this issue Feb 17, 2021 · 4 comments
Labels
kind-enhancement Issue or PR is an enhancement to an existing functionality

Comments

@pujavs
Copy link
Contributor

pujavs commented Feb 17, 2021

Requirement:

  1. config-api will maintain a restricted list of issuer’s in properties file.
  2. config-api will support bearer access token - JWT and reference(simple)
    3) JWT Flow: -
    3.1) Parse Jwt token
    3.2) Validate Token - Issuer should be present in the restricted list
    3.3) Validate Issuer
    3.4) Retrieve Auth Server JSON Web Keys - jwks_uri"
    3.5) Verify the signature used to sign the access token
    3.6) Verify the scopes
    If any of the above steps fails will throw 401 - Unauthorized.
  3. Reference(simple) Token Flow: -
    4.1) If Issuer is present in any of above cases then it be validated against the restricted list and if issuer is not among this list than config-api reject’s call and will throw 401 - Unauthorized.
    4.2) Issuer if present in restricted list than introspection url fetched using discovery endpoint and token validated against it.
    4.3) If issuer is not present then the token will be validated against the underlying jans-auth-server.

Acceptance Criteria.

  1. Successful authorization and access to valid JWT access token
  2. Successful authorization and access to valid Reference access token
@pujavs pujavs self-assigned this Feb 17, 2021
@pujavs
Copy link
Contributor Author

pujavs commented Feb 18, 2021

Exception cases tested;

  1. Exception Case#1: Jwt Issuer is Invalid
  2. Exception Case#2: ID Token is expired
  3. Exception Case#3: Jwt Signature is Invalid

Evidence:
Uploading Issues#17-Jwt_N_Reference_Access_Token.xlsx…

@pujavs
Copy link
Contributor Author

pujavs commented Feb 19, 2021

Successful Testing

Tested code with successful Jwks validation of external IDP (access token generated other than underlying auth server)
Evidence:
Issues#17-Jwt_N_Reference_Access_Token_Success.xlsx

@pujavs
Copy link
Contributor Author

pujavs commented Feb 23, 2021

RSA and EC token testing results

Issues#17-Jwt_N_Reference_Access_Token_Success.xlsx

@pujavs
Copy link
Contributor Author

pujavs commented Mar 1, 2021

Code deployed and working as expected on gasmyr.gluu.org
Code reviewed and merged into master => https://github.com/JanssenProject/jans-config-api/pull/18

@pujavs pujavs closed this as completed Mar 1, 2021
@ossdhaval ossdhaval transferred this issue from another repository Jan 14, 2022
@ossdhaval ossdhaval added the kind-enhancement Issue or PR is an enhancement to an existing functionality label Jan 14, 2022
This was referenced Feb 14, 2022
Closed
Closed
@mo-auto3 mo-auto3 mentioned this issue Mar 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind-enhancement Issue or PR is an enhancement to an existing functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ossdhaval @pujavs