feat(jans-cedarling): custom tokens and putting tokens in principal attrs #10706
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…perty Signed-off-by: rmarinn <[email protected]>
- automatically add token entity references to the principal entities if they are required in the principal's schema Signed-off-by: rmarinn <[email protected]>
- implement support for custom tokens - implement `CEDARLING_TOKEN_ENTITY_MAPPER` bootstrap property to support putting token entities into principal entities - implement `CEDARLING_MAPPING_TOKENS` bootstrap property to support having custom tokens - implement `CEDARLING_MAPPING_ROLE` bootstrap property to set the entity name of the role entity - implement `CEDARLING_TOKEN_VALIDATION_SETTINGS` bootstrap property to support having custom tokens - add support for custom token entity metatdata Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
- remove token entity mapping in entity builder. the token entity mapping is enforced in the jwt module. if the token isn't in the mapper, the token isn't decoded or validated. Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
- add docstring for token entity mapper - add docstring for token entity mapping Signed-off-by: rmarinn <[email protected]>
Implement CEDARLING_TOKEN_CONFIGS which replaces CEDARLING_TOKEN_VALIDATION_SETTINGS and CEDARLING_MAPPING_TOKENS Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
rmarinn
changed the title
mo-auto
added
comp-jans-cedarling
Signed-off-by: rmarinn <[email protected]>
mo-auto
added
area-documentation
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
olehbozhok
reviewed
Jan 23, 2025
| @@ -25,14 +23,14 @@ use crate::{ | |||
| /// - if a Userinfo token is present: | |||
| /// - `userinfo_token.aud` == `access_token.client_id` | |||
| /// - `userinfo_token.sub` == `id_token.sub` | |||
| pub fn validate_id_tkn_trust_mode(tokens: &DecodedTokens) -> Result<(), IdTokenTrustModeError> { | |||
| pub fn validate_id_tkn_trust_mode( | |||
There was a problem hiding this comment.
Should we check other tokens?
There was a problem hiding this comment.
For now, I don't think so since this is just for checking the tokens defined in openid connect core.
Though users want to add additional checks for their custom tokens, they can just do so via the Cedar policies since token entities get created.
olehbozhok
reviewed
Jan 23, 2025
| // we just ignore input tokens that are not defined | ||
| // in the token entity mapper bootstrap config | ||
| // | ||
| // TODO: should we log that we skip some tokens? |
There was a problem hiding this comment.
I think it would be helpful to log this, at least in debug level.
There was a problem hiding this comment.
will add logging in issue #10730 after this merges
olehbozhok
reviewed
Jan 23, 2025
| @@ -484,3 +485,17 @@ pub struct LogTokensInfo<'a> { | |||
| pub userinfo: Option<HashMap<&'a str, &'a serde_json::Value>>, | |||
| pub access: Option<HashMap<&'a str, &'a serde_json::Value>>, | |||
| } | |||
|
|
|||
| #[derive(Debug, Clone, PartialEq, serde::Serialize)] | |||
| pub struct NewLogTokensInfo<'a>(pub HashMap<&'a str, HashMap<&'a str, &'a serde_json::Value>>); | |||
There was a problem hiding this comment.
Why we need to stay LogTokensInfo structure? maybe we can remove LogTokensInfo and rename current to the LogTokensInfo?
There was a problem hiding this comment.
I forgot to remove that since rustanalyzer wasn't complaining that it was unused.
Removed here 673ded1.
olehbozhok
previously approved these changes
Jan 23, 2025
Signed-off-by: rmarinn <[email protected]>
olehbozhok
approved these changes
Jan 23, 2025
The validation was not changed. Validation settings are set via the |
nynymike
approved these changes
Jan 24, 2025
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prepare
Description
This PR implements:
Target issue
Target issue: #10591
closes #10591
Implementation Details
Updated bootstrap config
The following properties that are related to the JWTs are removed from the bootstrap config:
CEDARLING_MAPPING_ID_TOKENCEDARLING_MAPPING_ACCESS_TOKENCEDARLING_MAPPING_USERINFO_TOKENCEDARLING_AT_ISS_VALIDATIONCEDARLING_AT_JTI_VALIDATIONCEDARLING_AT_NBF_VALIDATIONCEDARLING_AT_EXP_VALIDATIONCEDARLING_IDT_ISS_VALIDATIONCEDARLING_IDT_SUB_VALIDATIONCEDARLING_IDT_EXP_VALIDATIONCEDARLING_IDT_IAT_VALIDATIONCEDARLING_IDT_AUD_VALIDATIONCEDARLING_USERINFO_ISS_VALIDATIONCEDARLING_USERINFO_SUB_VALIDATIONCEDARLING_USERINFO_AUD_VALIDATIONCEDARLING_USERINFO_EXP_VALIDATIONTo configure the token validation settings and mappings, the new
CEDARLING_TOKEN_CONFIGSwill now be used.Note that tokens that are not in the
CEDARLING_TOKEN_CONFIGSwill be ignored and fields that are not defined will default to"disabled". Furthermore, if the boostrap property is not set, a default containing theaccess_token,id_token, anduserinfo_tokenwith some validation enabled will be used.The shape of the input to authz will remain the same, though the user can now add their custom tokens in the
"tokens"field:Additionally, the a new bootstrap config,
CEDARLING_MAPPING_ROLE, was added. This bootrap property tells Cedarling what the entity type name of theRoleis in the schema.Automatically adding token entities to the principal entity attributes
To automatically add the token entities to the principal entity attributes, two conditions must be met:
CEDARLING_TOKEN_CONFIGSbootstrap property:If these two conditions are met, the built entity will have a token entity reference in it's attributes which it can access when defining policies
Updated Policy Store
To be able to support custom tokens, the
"trusted_issuers"field in the policy store has been updated. The"access_tokens","id_tokens","userinfo_tokens", and"tx_tokens"have been replaced with"tokens_metadata". The"claim_mapping"field is a map of token_name -> token_metadata.Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.