Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support authentication using a JSON web token (JWT) #93 #100

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

stoggi
Copy link

@stoggi stoggi commented Aug 7, 2019

This PR enables support for authentication with OpenIDConnect by verifying a JWT #93

A third party library (https://github.com/mpdavis/python-jose) is introduced to verify a JSON Web Token (JWT), and parse a JSON Web Key (JWK). This library was chosen because it is well maintained, a compatible license, features on jwt.io, is light weight, and can support JWKs.

  • Created new configuration section for JWT Auth
    • Configure a JWK to verify a JWT signature
    • Configure requried signature algorithms
    • Configure required audience and issuer claims
    • Configure name of username claim
  • Added code block in lambda_handler_user to validate JWT if configured
    • Require remote_usernames == bastion_user
    • Require valid JWT signature, expiry, and signature algorithm
    • Require username_claim in JWT
    • Require username_claim == bastion_user
  • Added unit tests for config and JWT validation

* Created new configuration section for JWT Auth
 - Configure a JWK to verify a JWT signature
 - Configure requried signature algorithms
 - Configure required audience and issuer claims
 - Configure name of username claim
* Added code block in lambda_handler_user to validate JWT if configured
 - Require remote_usernames == bastion_user
 - Require valid JWT signature, expiry, and signature algorithm
 - Require username_claim in JWT
 - Require username_claim == bastion_user
* Added unit tests for config and JWT validation
@coveralls
Copy link

coveralls commented Aug 7, 2019

Coverage Status

Coverage increased (+0.2%) to 94.943% when pulling 24af4b4 on stoggi:jwtauth into 80f3c1b on Netflix:master.

… hash

* Pin marshmellow to a version less than 3. This might be fixed in Netflix#99
* Disable at_hash verification if present in the JWT, since the bless lambda doesn't have access to the a hash of the access token.
@stoggi
Copy link
Author

stoggi commented Nov 4, 2019

@russell-lewis am I able to get a hand reviewing this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants