Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify authresponse #3864

Merged
merged 4 commits into from Mar 17, 2023
Merged

Simplify authresponse #3864

merged 4 commits into from Mar 17, 2023

Conversation

aricart
Copy link
Member

@aricart aricart commented Feb 10, 2023

This PR reworks the auth callout to simply return an user JWT.

  • Tests added
  • Branch rebased on top of current main (git pull --rebase origin main)
  • Changes squashed to a single commit (described here)
  • Build is green in Travis CI
  • You have certified that the contribution is your original work and that you license the work to the project under the Apache 2 license

Changes proposed in this pull request:

The original auth callout response, is simpler:

  • the response is just JSON {error: string, user_token: string}. If encrypted the entire payload is encrypted.
  • The server id which was set as an audience, is now set as a tag, this allows the server to verify the server (albeit by turning the server ID lower case)
  • For operator mode, the callout should include it's public key, and sign the payload, and return both of these values in a header. This way the server can verify that the payload was sent from the expected service. On encrypted payloads this is not required, since the payload is encrypted and the server can verify.

The callout service can now use account signing keys and scoped signing keys. The server will validate the signing keys used to match the target account, and in the case of the scoped signing key, will assign limits as recorded in the destination account. The one requirement is that the limits be default (zero) struct (otherwise the resulting JWT will be invalid once validation runs).

The audience field is now reserved for account placement on non-operator mode. In operator mode, the user JWT has all the proper attributions to determine the target account.

/cc @nats-io/core

@aricart aricart changed the base branch from main to dev February 10, 2023 20:59
server/auth_callout.go Outdated Show resolved Hide resolved
server/auth_callout.go Outdated Show resolved Hide resolved
server/auth_callout.go Outdated Show resolved Hide resolved
server/auth_callout.go Outdated Show resolved Hide resolved
@aricart aricart force-pushed the simplify-authresponse branch 2 times, most recently from 6e88c04 to ced92ae Compare February 18, 2023 18:24
@aricart aricart marked this pull request as ready for review February 20, 2023 13:42
@aricart aricart requested a review from a team as a code owner March 6, 2023 19:50
@aricart aricart force-pushed the simplify-authresponse branch 6 times, most recently from d3afc3b to faf38b7 Compare March 11, 2023 18:42
@derekcollison
Copy link
Member

Let me know when we think this one is ready for review.

@aricart aricart force-pushed the simplify-authresponse branch 4 times, most recently from 247f3b9 to 6c12ef5 Compare March 16, 2023 15:37
removed server_key as name/id are already the right values
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@derekcollison derekcollison merged commit d8ad667 into dev Mar 17, 2023
2 checks passed
@derekcollison derekcollison deleted the simplify-authresponse branch March 17, 2023 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants