-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: ignore other auth prefixes #4718
feat: ignore other auth prefixes #4718
Conversation
CI performance tests
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of my comments are NITS or advisory. One thing that bothers me though.
If this option exists and is set to true
, doesn't that mean that an attacker could bypass JWT authentication by simply setting another prefix? I know that the burden of responsibility then lies on the user to perform that authentication, but it still bothers me that the config is providing this open door as part of our JWT scheme. I feel like we need to document somewhere in big RED LETTERS what the implications of using this are.
Co-authored-by: Gary Pennington <garypen@gmail.com>
I agree. It's definitely a fine line to tread, but some folks do If we could in the future have the plugin do auth schemes based on prefixes (e.g. bearer is now the JWT plugin) that might solve for some of the concern. And to be honest- the changing of headers would still be applicable for any other system that does auth. We (SAs) still highly recommend validating the token in the subgraph regardless. Going to flag up to sec and see what they say, however. |
@@ -128,6 +128,9 @@ struct JWTConf { | |||
/// Header value prefix | |||
#[serde(default = "default_header_value_prefix")] | |||
header_value_prefix: String, | |||
/// Whether to ignore any mismatched prefixes | |||
#[serde(default)] | |||
ignore_other_prefixes: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure we actually need an option. The router looks for the value with the prefix it needs, it ignores the rest, we still have the same behavior as before: if it does not find the value it wants, then the request will not be authenticated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that right? I thought we returned an InvalidPrefix
message if we didn't recognise a prefix and that's what Lucas is changing. i.e.: what was an Invalid prefix fail will become, with this option enabled, continue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the important part is whether require_authentication
is enabled
This PR enables the JWT plugin to ignore other auth prefixes other than the one defined in the configuration. As to not break existing uses, this is defaulting to be false.
This enables multiple Authorization schemes to be supported, although other schemes would need to be handled in either Rhai or a coprocessor to be used with the AuthN plugin.
Checklist
Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.
Exceptions
Empty prefixes will not be affected by this change as there is no prefix to ignore.
Notes
Footnotes
It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. ↩
Configuration is an important part of many changes. Where applicable please try to document configuration examples. ↩
Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions. ↩