-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: correct auth jwt role requirements #27384
Conversation
CI Results: |
Build Results: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Appreciate you taking this on!
I have one minor comment around clarifying the expected behavior after 1.16.3.
|
||
JWT auth roles of type "jwt" require the `bound_audiences` claim to match at | ||
least one of the JWT's `aud` claims. Prior to 1.16.3, the JWT auth method would | ||
ignore token `aud` claims that were not a list of strings. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ignore token `aud` claims that were not a list of strings. | |
ignore token `aud` claims that were not a list of strings. Starting from 1.16.3, | |
it would ignore token `aud` claims that are not a single audience string or a list of strings. |
I think we should state what changed from 1.16.3. My wording might be confusing here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the previous sentence makes that clear. Maybe we can get the education team's input on this? That said, I think your wording should say something like
Starting from 1.16.3, token
aud
claims can be a single string or a list of strings and they must match at least one of the role'sbound_audiences
.
But then maybe the next paragraph should be reworked?
cc @schavis
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think saying this could be misleading.
Starting from 1.16.3, token
aud
claims can be a single string or a list of strings
The value type of aud
in JWT claims follows the specification of JWT, which changed to allow string type independently prior to 1.16.3. I believe users had been sending login requests with single string aud
. We didn't include that type into our invalidation logic until 1.16.3.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, how about I change the wording of the paragraph to this:
JWT auth roles of type "jwt" require the
bound_audiences
claim to match at
least one of the JWT'saud
claims. The JWT'saud
claim can be a single string
or a list of strings as per RFC 7519 Section 4.1.3. Prior to 1.16.3, the JWT auth method
would ignore tokenaud
claims that were not a list of strings.
This reverts commit 6554d3f.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
Co-authored-by: Sarah Chavis <[email protected]>
@schavis I reverted the change to the website/content/docs/upgrading/upgrade-to-1.16.x.mdx file to match the current formatting of the rest of the file. I checked the Vercel preview with the Warning tag and it didn't look correct. It makes it look like the Auth JWT info is part of the LDAP section above it but that isn' the intent. See the attached screenshot: |
This PR will need some updates in light of some recent decisions around the code changes. Converting to draft until I get this reworked. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Description
This PR fixes the documentation to clearly state the Auth jwt plugin's behavior. For jwt roles, the
bound_audiences
parameter is required if the JWT'saud
claim is present and must match at least one of theaud
claims on the token.There are a few issues at play here:
bound_audiences
.References
From https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
Relates #27343
Relates #25791