Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New JWT verify/decode #967

Merged
merged 7 commits into from
Sep 25, 2018
Merged

New JWT verify/decode #967

merged 7 commits into from
Sep 25, 2018

Conversation

optnfast
Copy link
Contributor

This sequence of changes implements JWT verification and decoding in a single call. It allows verification to be constrained by key, algorithm, issuer, audience and time (i.e. the exp and nbf fields).

See #884 for discussion.

Richard Kettlewell added 5 commits September 20, 2018 13:17
Move JWT header decoding to a separate function
bc70954 
Signed-off-by: Richard Kettlewell <[email protected]>
Move X.509 certificate parsing to a separate function
02f4813 
Signed-off-by: Richard Kettlewell <[email protected]>
Move test certificate data out of TestTopDownJWTVerifyRSA
d348c01 
Signed-off-by: Richard Kettlewell <[email protected]>
io.jwt.decode_verify JWT verification
6fd9307 
This implements JWT verification and decoding in a single function,
supporting the exp and nbf claims automatically and permitting
constraints on the algorithm and issuer to be imposed.

re open-policy-agent#884

Signed-off-by: Richard Kettlewell <[email protected]>
JWT audience support
d1ab804 
re open-policy-agent#884

Signed-off-by: Richard Kettlewell <[email protected]>
ashutosh-narkar
ashutosh-narkar reviewed Sep 20, 2018
View reviewed changes
docs/book/language-reference.md Outdated

Exactly one of ``cert`` and ``secret`` must be present.
If there are any unrecognized constraints then the token is considered invalid.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be helpful to add another column Required to specify which constraint members are required vs optional.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of them are required - the only requirement is that one of cert and secret must be present. Still, you're right, breaking out a separate column improves clarity.

@ashutosh-narkar
Copy link
Member

@optnfast This looks good. Some minor comments.

@ashutosh-narkar ashutosh-narkar merged commit 848caef into open-policy-agent:master Sep 25, 2018
@optnfast optnfast deleted the jwt branch September 26, 2018 09:41
@tsandall tsandall mentioned this pull request Oct 17, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashutosh-narkar ashutosh-narkar ashutosh-narkar left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@optnfast @ashutosh-narkar