Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reprovision if token name does not match identity #1654

Closed
ripienaar opened this issue Apr 20, 2022 · 0 comments
Closed

Reprovision if token name does not match identity #1654

ripienaar opened this issue Apr 20, 2022 · 0 comments
Labels
wd

Comments

@ripienaar
Copy link
Member

Related to #1309 we should also detect the scenario if the jwt token has an identity in it other than the one the machine has, it should then go into provisioning mode instead of using that
@ripienaar ripienaar added the wd label Apr 20, 2022
ripienaar added a commit to ripienaar/go-choria that referenced this issue Apr 20, 2022
@ripienaar
(choria-io#1654) prevent use of jwt tokens with non matching caller id
874270c 
The caller id is used to generate unique subjects for replies
but also by the broker to set locked down permissions for servers
ensuring they can only get their own directed messages.

We should ensure that the token we hold match the running identity
else we end up with unreachable nodes or clients.

In the case of provisionable servers this scenario will now trigger
a reprovision, in the case of clients it will just fail.

Signed-off-by: R.I.Pienaar <rip@devco.net>
ripienaar added a commit that referenced this issue Apr 20, 2022
@ripienaar
Merge pull request #1655 from ripienaar/1654
e096278 
(#1654) prevent use of jwt tokens with non matching caller id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wd
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ripienaar