Support multiple audience for jwt authentication #4359
Conversation
donggyu04
requested review from
cliu123,
cwperks,
DarshitChanpura,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
|
Hi @donggyu04, thank you. Could you please:
|
donggyu04
force-pushed
the
support-multiple-audience-for-jwt-auth
branch
from
bf80f66 to
f08ceb3
Compare
|
Yes, I fixed that you mentioned. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4359 +/- ##
=======================================
Coverage 65.46% 65.46%
=======================================
Files 310 310
Lines 21986 21992 +6
Branches 3552 3554 +2
=======================================
+ Hits 14393 14397 +4
Misses 5824 5824
- Partials 1769 1771 +2
|
|
Could you please fix spotless scan failure: |
There was a problem hiding this comment.
Thank you for the contribution @donggyu04 ! The change looks good to me, but I had a general question.
When a user configures multiple values for required audience, it will behave as an OR operation where as long as a token has one of the required audiences its considered valid. Would there ever be a valid use-case where an admin would want to enforce that a jwt has all required audiences?
Can you please also submit a PR to the documentation-website to accompany this change?
src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
Outdated
Show resolved
Hide resolved
donggyu04
force-pushed
the
support-multiple-audience-for-jwt-auth
branch
2 times, most recently
from
fae7c7f to
dae5eaf
Compare
Yes, I wanted to make sure that the JWT token was valid if it had any of the required audiences. I can't think of any cases that force all required audience to be required. If I need to meet all required audience, I think I will use only one required audience as before. I will make PR to |
Signed-off-by: leedonggyu <[email protected]>
donggyu04
force-pushed
the
support-multiple-audience-for-jwt-auth
branch
from
dae5eaf to
a912c75
Compare
I fixed and check it again in my local machine. thanks
|
|
test (citest, ubuntu-latest, 11) test was failed. |
Yes it is a well known issue for the old test framework we use for testing. I will re-run jobs |
|
Test is failed again but, I don't know what the problem is. |
Yes I saw it as well. So far I can't answer the question why it happened. |
Signed-off-by: leedonggyu <[email protected]> (cherry picked from commit f71d2e6) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
@willyborankin @cwperks Thanks for reviews. Is this going to be included in what month's release? |
|
Hi, Is this going to be included in what month's release? Thanks in advance |
|
Hi @donggyu04, yes it should be part of the upcoming release. |
|
Sorry for continuing to ask questions. When are you planning the next release? june or july? |
|
@donggyu04, here is the official release scheduler: https://opensearch.org/releases.html |
|
@willyborankin Oh Thanks so much 👍 |
Description
Related: #3723
Currently OpenSearch doesn't support multiple audience for JWT authentication.
I want to pass the audience claims if
audvalue in JWT is at least one of the required audiences.For example, If I set my OpenSearch security configuration for JWT like below.
I want to pass verification if there is either
project1oradminaudience in the JWT token.This may be useful for some cases, like if someone need to access opensearch for all projects(project1, project2, ....) via
adminaud.Please confirm this concept positively.
Thanks in advance.
Testing
I added unit tests.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.