Skip to content

Commit

Permalink
Make header = "Authorization" the default authentication mechanism …
Browse files Browse the repository at this point in the history
…for JWT
  • Loading branch information
afflerbach committed Dec 23, 2021
1 parent 0b21b3f commit ed059a5
Show file tree
Hide file tree
Showing 7 changed files with 25 additions and 15 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ Unreleased changes are available as `avenga/couper:edge` container.
* `expected_status` attribute for `request` and `proxy` block definitions which can be caught with [error handling](./docs/ERRORS.md#endpoint-related-error_handler) ([#405](https://github.com/avenga/couper/issues/405))

* **Changed**
* `header = "Authorization"` is now the default authentication mechanism for JWT and may be omitted ([#](https://github.com/avenga/couper/issues/))
* Missing [scope or roles claims](./docs/REFERENCE.md#jwt-block), or scope or roles claim with unsupported values are now ignored instead of causing an error ([#380](https://github.com/avenga/couper/issues/380))
* Improved the validation for unique keys in all map-attributes in the config ([#403](https://github.com/avenga/couper/pull/403))
* The access control for the OIDC redirect endpoint ([`oidc` block](./docs/REFERENCE.md#oidc-block)) now verifies ID token signatures ([#404](https://github.com/avenga/couper/pull/404))
Expand Down
6 changes: 6 additions & 0 deletions accesscontrol/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,12 @@ func NewJWTSource(cookie, header string, value hcl.Expression) JWTSource {
Type: Header,
}
}
if h == "" && c == "" {
return JWTSource{
Name: "Authorization",
Type: Header,
}
}
return JWTSource{}
}

Expand Down
13 changes: 13 additions & 0 deletions accesscontrol/jwt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,19 @@ func TestJwtConfig(t *testing.T) {
`,
"jwt key: read error: required: configured attribute or file",
},
{
"ok: signature_algorithm + key (default: header = Authorization)",
`
server "test" {}
definitions {
jwt "myac" {
signature_algorithm = "HS256"
key = "..."
}
}
`,
"",
},
{
"ok: signature_algorithm + key + header",
`
Expand Down
2 changes: 1 addition & 1 deletion docs/REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -366,7 +366,7 @@ required _label_.
| :-------- | :--------------- | :--------------- | :--------------- | :--------------- | :--------------- |
| `cookie` |string|-|Read token value from a cookie.|cannot be used together with `header` or `token_value` |`cookie = "AccessToken"`|
| `custom_log_fields` | map | - | Defines log fields for [Custom Logging](LOGS.md#custom-logging). | ⚠ Inherited by nested blocks. | - |
| `header` |string|-|Read token value from a request header field.|⚠ Implies `Bearer` if `Authorization` (case-insensitive) is used, otherwise any other header name can be used. Cannot be used together with `cookie` or `token_value`.|`header = "Authorization"` |
| `header` |string| `Authorization` |Read token value from a request header field.|⚠ Implies `Bearer` if `Authorization` (case-insensitive) is used, otherwise any other header name can be used. Cannot be used together with `cookie` or `token_value`.|`header = "Authorization"` |
| `token_value` | string | - | expression to obtain the token | cannot be used together with `cookie` or `header` | `token_value = request.form_body.token[0]`|
| `key` |string|-|Public key (in PEM format) for `RS*` and `ES*` variants or the secret for `HS*` algorithm.|-|-|
| `key_file` |string|-|Optional file reference instead of `key` usage.|-|-|
Expand Down
2 changes: 1 addition & 1 deletion server/http_integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3199,7 +3199,7 @@ func TestJWTAccessControlSourceConfig(t *testing.T) {
log, _ := logrustest.NewNullLogger()
ctx := context.TODO()

expectedMsg := "configuration error: missing-source: token source is invalid"
expectedMsg := "configuration error: invalid-source: token source is invalid"

err = command.NewRun(ctx).Execute([]string{couperConfig.Filename}, couperConfig, log.WithContext(ctx))
logErr, _ := err.(errors.GoError)
Expand Down
12 changes: 0 additions & 12 deletions server/testdata/integration/config/03_couper.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -297,18 +297,15 @@ definitions {
password = "PWD"
}
jwt "JWTToken" {
header = "Authorization"
signature_algorithm = "HS256"
key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
beta_scope_claim = "scope"
}
jwt "RSAToken" {
header = "Authorization"
signature_algorithm = "RS256"
key_file = "../files/certificate.pem"
}
jwt "RSAToken1" {
header = "Authorization"
signature_algorithm = "RS256"
key =<<-EOF
-----BEGIN RSA PUBLIC KEY-----
Expand Down Expand Up @@ -337,19 +334,16 @@ definitions {
EOF
}
jwt "RSATokenWrongAlgorithm" {
header = "Authorization"
signature_algorithm = "RS384"
key_file = "../files/certificate.pem"
}
jwt "ECDSAToken" {
header = "Authorization"
signature_algorithm = "ES256"
key_file = "../files/certificate-ecdsa.pem"
signing_ttl = "10s"
signing_key_file = "../files/ecdsa.key"
}
jwt "ECDSAToken8" {
header = "Authorization"
signature_algorithm = "ES256"
key =<<-EOF
-----BEGIN PUBLIC KEY-----
Expand All @@ -359,36 +353,30 @@ definitions {
EOF
}
jwt "ECDSATokenWrongAlgorithm" {
header = "Authorization"
signature_algorithm = "ES384"
key_file = "../files/certificate-ecdsa.pem"
}
jwt "JWKS" {
header = "Authorization"
jwks_url = "file:../files/jwks.json"
}
jwt "JWKS_scope" {
header = "Authorization"
jwks_url = "file:../files/jwks.json"
beta_scope_claim = "scope"
}
jwt "JWKSRemote" {
header = "Authorization"
jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
}
jwt "JWKS_not_found" {
header = "Authorization"
jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/not.found"
}
jwt "JWKSBackend" {
header = "Authorization"
jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
backend {
origin = env.COUPER_TEST_BACKEND_ADDR
}
}
jwt "JWKSBackendRef" {
header = "Authorization"
jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
backend = "jwks"
}
Expand Down
4 changes: 3 additions & 1 deletion server/testdata/integration/config/05_couper.hcl
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
server "jwt-source" {}
definitions {
jwt "missing-source" {
jwt "invalid-source" {
header = "foo"
cookie = "bar"
signature_algorithm = "HS256"
key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
}
Expand Down

0 comments on commit ed059a5

Please sign in to comment.