feat: Support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523 #2384
Conversation
Xopek
changed the title
|
@aeneasr The only help i need is with e2e test for jwt bearer auth grant. Main problem: don't know how to generate jwk and it is needed to create grant. Maybe you have some ideas? |
.schema/config.schema.json
Outdated
| @@ -201,6 +201,37 @@ | |||
| "examples": [ | |||
| "1h" | |||
| ] | |||
| }, | |||
| "grantJWT": { | |||
There was a problem hiding this comment.
JSON Schema demands grantJwt here :)
.schema/config.schema.json
Outdated
| "additionalProperties": false, | ||
| "properties": { | ||
| "jwt": { | ||
| "$ref": "#/definitions/grantJWT" |
There was a problem hiding this comment.
Unless this is being used somewhere else there isn't really a need to have it as a definition so you can just embed it here IMO.
.schema/config.schema.json
Outdated
| "properties": { | ||
| "client_auth_optional": { | ||
| "type": "boolean", | ||
| "description": "If false, client authentication is required to get access token.", |
There was a problem hiding this comment.
Describe what happens if this is true
.schema/config.schema.json
Outdated
| "description": "If false, client authentication is required to get access token.", | ||
| "default": false | ||
| }, | ||
| "id_optional": { |
There was a problem hiding this comment.
| "id_optional": { | |
| "jti_optional": { |
.schema/config.schema.json
Outdated
| "description": "If false, JTI claim must be present in JWT assertion.", | ||
| "default": false | ||
| }, | ||
| "issued_date_optional": { |
There was a problem hiding this comment.
| "issued_date_optional": { | |
| "iat_optional": { |
.schema/config.schema.json
Outdated
| "description": "If false, IAT claim must be present in JWT assertion.", | ||
| "default": false | ||
| }, | ||
| "max_duration": { |
There was a problem hiding this comment.
| "max_duration": { | |
| "max_ttl": { |
.schema/config.schema.json
Outdated
| "default": false | ||
| }, | ||
| "max_duration": { | ||
| "description": "Configures how long JWT assertion is considered valid, since being issued.", |
There was a problem hiding this comment.
| "description": "Configures how long JWT assertion is considered valid, since being issued.", | |
| "description": "Configures what the maximum age of a JWT assertion can be. Overrides the JWT's EXP claim. Useful as a safety measure and recommended to not be set to 720h max.", |
There was a problem hiding this comment.
Well it doesn't overrides EXP claim, it compares EXP claim to current setting. Made some corrections in description.
|
Could you also please rebase on (or merge with) master? That would resolve some of the test issues we're seeing (I hope) :) |
Xopek
force-pushed
the
auth-grant-type-jwt-bearer
branch
from
9dcff3f to
7724517
Compare
done |
|
Thank you! Looks like there is a small conflict with persister_test. I will look into the code with a bit of time this week but from a high-level view it looks really good! |
|
Ok I resolved the conflicts and brought everything up to speed. Trying to wrap my head around this feature again as it has been some time. Also, to to make sure - this PR only addresses https://tools.ietf.org/html/rfc7523#section-2.1 not https://tools.ietf.org/html/rfc7523#section-2.2 - correct? |
|
@Xopek I addressed the merge conflicts locally but can not push on your branch as I am not allowed to. Could you check the box "allow write access for maintainers": https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork Also to make sure - this PR only addresses https://tools.ietf.org/html/rfc7523#section-2.1 not https://tools.ietf.org/html/rfc7523#section-2.2 - correct? Also we should add a guide on how to use this feature in |
|
Hello, I have made a couple of improvements in my auth-grant-type-jwt-bearer branch. There's a couple more things we need to do:
Otherwise this looks pretty good to me! |
Yes, you are correct |
|
You can find my changes here: Tinkoff#1 |
I will try to enable "allow write access for maintainers", however because fork is in organization it can be hard. Alternatively i will cherry your commits in your branch into my branch.
Correct
I think yes Yes i think i c |
Thanks) |
|
I'd love to help this feature get merged/released. Can I help with documentation here? Anything else that needs work? |
Will be great! You can make changes in your branch, i will cherry pick them! |
|
Considering this PR - i need some time to get back on it |
|
Marking as draft |
|
You are right 😄 I updated Tinkoff#5 with the change. This should make the tests run without a timeout. Thank you. |
|
Awesome! I think that once the merge conflicts are resolved, the tests should pass :) |
feat: remove redundant end-to-end tests
|
@aeneasr @jagobagascon I fixed merged conflicts. There was also some case-sentitive contributors file hell. There were two versions of this file, one in lowercase, one in uppercase. Tests are now passing, but we have probmel with security checks now, escpecially with embedded private keys. @jagobagascon can we generate them on the fly maybe? Or what options do we have @aeneasr ? |
Codecov Report
@@ Coverage Diff @@
## master #2384 +/- ##
==========================================
+ Coverage 76.85% 77.93% +1.07%
==========================================
Files 105 110 +5
Lines 7146 7636 +490
==========================================
+ Hits 5492 5951 +459
- Misses 1248 1267 +19
- Partials 406 418 +12
Continue to review full report at Codecov.
|
Yes, I added the change here: Tinkoff#6 That change should get rid of all security alerts. |
Hard-coded keys were secure because they were only used inside a test. However the CodeQL analyze tool was complaining about it so this change should stop that.
The CodeQL analyze tool was complaining about using a cryptographically insecure random value in a security context. This change should stop that.
|
All failing Code scanning results were fixed with the last change, but for some reason new errors appeared in I would say that the things it is complaining about were not changed by this PR (they are already in the master branch) so I don't think we should fix them here. WDYT? Appart from this I would say this is ready to be reviewed by @aeneasr. |
…-bearer # Conflicts: # CONTRIBUTORS
|
This is the best gift for the new year for us! Thank's to everyone! 🎉 |
|
Hello @Xopek PS: You all have been great in the community, big smooch on the forehead for everybody participating in this PR, let me know and we throw in some more for the rest of the team. |
|
@Xopek thoughts on expanding this to allow passing custom claims in the jwt that get added to the generated token? |
And what kind of claims you want to add? Because currently claims only needed for hydra to verify, that you have right to get token. After that, your jwt is not needed, you will use token, while it is valid. |
|
@Xopek in my use case it would be something like a group id. I provide the group id in the access token claims to avoid additional lookup in some of my API's. but for 95% of my use cases it fits perfectly already, thanks a lot for this great contribution! |
|
We need a way to do delegation/impersonation, allowing an |
Related issue
#2229 @aeneasr
Proposed changes
This changes adds Support for JSON Web Token (JWT) Profile for OAuth 2.0 Authorization Grants (RFC7523).
Users of Hydra will be able to grant permission for OAuth 2.0 client to act on behalf of some resource owner using jwt bearer assertions.
Checklist
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further comments