Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace JWT validation library #5592

Merged

Conversation

mantas-sidlauskas
Copy link
Contributor

What changed?
Replacing https://github.com/cristalhq/jwt with https://github.com/golang-jwt/jwt.

Why?
To utilize "keyfunc" option for implementing JWKS functionality. It is planed to check token and pick correct public key for token validation. Having this, it is possible to use existing self-signed JWT for internal inter-node communication and 3rd party Identity Provider at the same time.

How did you test it?
Additional unit tests for validate TTL, local tests.

Potential risks

Release notes

Documentation Changes

@coveralls
Copy link

coveralls commented Jan 15, 2024

Pull Request Test Coverage Report for Build 018d3d6c-8b87-42c7-82a5-a6c04a1e85d6

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 62.654%

Totals Coverage Status
Change from base Build 018d3d56-cbc8-4a01-8d6f-5479dbabd2e2: 0.0%
Covered Lines: 92091
Relevant Lines: 146984

💛 - Coveralls

go.mod Outdated
@@ -66,6 +66,7 @@ require (
)

require (
github.com/golang-jwt/jwt/v5 v5.2.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have v5.0.0 of this package in monorepo. Since it doesn't have other dependencies it maybe OK but please confirm @Groxx.

Copy link
Contributor

@davidporter-id-au davidporter-id-au Jan 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testing with D12725271

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'll be ok

return errors.New("IssuedAt is not set")
}

// Fill ExpiresAt when TTL is passed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little surprised this is necessary, it's not a problem, but I wouldj have throught that the JWT lib would do this natively

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our clients (java and go) are not setting ExpiresAt claim. Instead, they are providing TTL claim. This is to support backwards compatibility. Later on, clients needs to be updated to fill in ExpiresAt and we can delegate this check to JWT lib.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After re-reading your comment, I realized that it was not about TTL check, but for IssuedAt check. And yes, you are right, this is not needed as library will do this validation. Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, sorry, yeah, i wasn't being super clear and to be honest, i get confused between the different values. I'll don't think it's a blocker, so stamping. Thank you for looking into it.

return errors.New("IssuedAt is not set")
}

// Fill ExpiresAt when TTL is passed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, sorry, yeah, i wasn't being super clear and to be honest, i get confused between the different values. I'll don't think it's a blocker, so stamping. Thank you for looking into it.

}

timeLeft := exp.Unix() - time.Now().Unix()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my comment wasn't great, I actually meant this: I thought this would be something that the library would do natively

@davidporter-id-au davidporter-id-au enabled auto-merge (squash) January 24, 2024 21:47
@davidporter-id-au davidporter-id-au merged commit 66897c7 into cadence-workflow:master Jan 24, 2024
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants