JWT support should implement aud, exp and nbf #884
Comments
optnfast
changed the title
|
The I think we could add an For example: It would be good to include a separate WDYT about starting here and dealing with the |
|
That seems reasonable. Expect an initial PR for discussion in a bit. |
|
hey @optnfast, have you made progress on this ticket? If not, I'd like to assign this to someone else to work on. Let me know. Thanks! |
|
Yes I have. My current work can be found at: https://github.com/optnfast/opa/tree/jwt I also made a start on adding support for delivering keys via a JWK set. It might be better to treat that as a separate issue though? (Apologies for the radio silence, I spent a while making rapid progress but then had to put things down for unrelated reasons.) |
|
@optnfast that sounds like a good candidate for another PR. If you'd like, feel free to open an issue to track it. |
This implements JWT verification and decoding in a single function, supporting the exp and nbf claims automatically and permitting constraints on the algorithm and issuer to be imposed. re open-policy-agent#884 Signed-off-by: Richard Kettlewell <[email protected]>
re open-policy-agent#884 Signed-off-by: Richard Kettlewell <[email protected]>
|
I've not made any further progress on JWK set support yet, I'll revisit that with a fresh PR sometime as you suggest. |
re open-policy-agent#884 re open-policy-agent#967 Signed-off-by: Richard Kettlewell <[email protected]>
re open-policy-agent#884 re open-policy-agent#967 Signed-off-by: Richard Kettlewell <[email protected]>
re open-policy-agent#884 Signed-off-by: Richard Kettlewell <[email protected]>
|
Fixed by #967 |
Background
https://tools.ietf.org/html/rfc7519#section-4.1 lists several registered JWT claim names, among them:
nbfandexpwhich provide lower and upper bounds for the time range in which a JWT is validaudwhich binds the JWT to a particular audience.Use of the claims is optional (i.e. they need not appear in a JWT) but honoring them is a MUST if they are present.
The OPA JWT support currently does not act on any of the claim names. It's possible to check them in rego, although it's a bit of a performance due to them being optional (and I've not yet attempted to handle the annoying special case where
audis a string rather than a list).OPA Support for
expandnbfThe point of this issue is to that support for these the time claims should be transparently built into the OPA JWT support. Specifically,
io.jwt.decodeshould check them against the current time and error if it is afterexpor beforenbf.The main reason in favor is, of course, that it means that it becomes impossible to accidentally implement a non-compliant JWT parser in rego (whether by getting the rego wrong or simply neglecting to implement
nbfandexp).The possible argument against is that this creates a backwards incompatibility. But it only creates an incompatibility for systems that do not fully comply with the JWT spec, and more rational way of viewing the change is that it fixes a vulnerability in such systems.
OPA support for
audThis is slightly trickier since the desired audience must be specified somehow; adding support to
io.jwt.decodewould be more disruptive. I'm not sure what the best way to proceed is.The text was updated successfully, but these errors were encountered: