Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proto/agent: add JWT SVID privileged API #20

Merged
merged 2 commits into from
Mar 17, 2022

Conversation

loveyana
Copy link
Contributor

@loveyana loveyana commented Feb 21, 2022

Add JWT SVID privileged API proto definitions in Delegated Identity API. This API includes two RPCs: FetchJWTSVIDs and SubscribeToJWTBundles.

The FetchJWTSVIDs rpc allows a privileged client to get JWT-SVIDs for a given workload.

The request is used to fetch JWT-SVIDs for a workload. As in the workload api, audience list is required and also need the selectors describing the workload to fetch.

And the response is used to fetch a list of JWT-SVIDs (for the fetched workload). JWT-SVIDs for registration entries matching all the passed selectors are returned.

The SubscribeToJWTBundles rpc streams get local and all federated bundles. It should be noted that the bundle data it returns is marshaled to JWKS.

Related: #4, #7 ,#8

@loveyana
Copy link
Contributor Author

loveyana commented Mar 1, 2022

@amartinezfayo I'm glad you noticed this, do you have any thoughts about it?

Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @loveyana for this contribution! It looks great.
I have only one super minor suggestion in a comment.

// for the requested audience.
rpc FetchJWTSVIDs(FetchJWTSVIDsRequest) returns (FetchJWTSVIDsResponse);

// Subscribe to get local and all federated JWKS bundle.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Subscribe to get local and all federated JWKS bundle.
// Subscribe to get local and all federated JWKS bundles.
Suggested change
// Subscribe to get local and all federated JWKS bundle.
// Subscribe to get local and all federated JWKS bundle.

@evan2645
Copy link
Member

I think things will get cumbersome when the workload-to-audience complexity explodes, but I also don't have a better suggestion ... I think in this case, folks are just going to have to manage multiple streams. Maybe it's something we can improve on in the future after some use ... general shape etc looks good to me @amartinezfayo , thank you for the contribution @loveyana!

@evan2645 evan2645 changed the base branch from main to next March 17, 2022 17:26
@amartinezfayo amartinezfayo merged commit e2705b3 into spiffe:next Mar 17, 2022
azdagron pushed a commit that referenced this pull request May 12, 2022
* proto/agent: add JWT SVID privileged API

Signed-off-by: Yuhan Li <[email protected]>

* Fix comment lint problem

Signed-off-by: Yuhan Li <[email protected]>
azdagron pushed a commit that referenced this pull request May 12, 2022
* proto/agent: add JWT SVID privileged API

Signed-off-by: Yuhan Li <[email protected]>

* Fix comment lint problem

Signed-off-by: Yuhan Li <[email protected]>
guilhermocc pushed a commit to guilhermocc/spire-api-sdk that referenced this pull request Apr 10, 2023
Bring gRPC to latest to keep in sync with forthcoming gRPC upgrade in
SPIRE.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants