Make header = "Authorization" the default authentication mechanism …

…for JWT

CHANGELOG.md

@@ -12,6 +12,7 @@ Unreleased changes are available as `avenga/couper:edge` container.
   * `expected_status` attribute for `request` and `proxy` block definitions which can be caught with [error handling](./docs/ERRORS.md#endpoint-related-error_handler) ([#405](https://github.com/avenga/couper/issues/405))
 
 * **Changed**
+  * `header = "Authorization"` is now the default authentication mechanism for JWT and may be omitted ([#](https://github.com/avenga/couper/issues/))
   * Missing [scope or roles claims](./docs/REFERENCE.md#jwt-block), or scope or roles claim with unsupported values are now ignored instead of causing an error ([#380](https://github.com/avenga/couper/issues/380))
   * Improved the validation for unique keys in all map-attributes in the config ([#403](https://github.com/avenga/couper/pull/403))
   * The access control for the OIDC redirect endpoint ([`oidc` block](./docs/REFERENCE.md#oidc-block)) now verifies ID token signatures ([#404](https://github.com/avenga/couper/pull/404))

accesscontrol/jwt.go

@@ -97,6 +97,12 @@ func NewJWTSource(cookie, header string, value hcl.Expression) JWTSource {
 			Type: Header,
 		}
 	}
+	if h == "" && c == "" {
+		return JWTSource{
+			Name: "Authorization",
+			Type: Header,
+		}
+	}
 	return JWTSource{}
 }
 

accesscontrol/jwt_test.go

@@ -664,6 +664,19 @@ func TestJwtConfig(t *testing.T) {
 			`,
 			"jwt key: read error: required: configured attribute or file",
 		},
+		{
+			"ok: signature_algorithm + key (default: header = Authorization)",
+			`
+			server "test" {}
+			definitions {
+			  jwt "myac" {
+			    signature_algorithm = "HS256"
+			    key = "..."
+			  }
+			}
+			`,
+			"",
+		},
 		{
 			"ok: signature_algorithm + key + header",
 			`

docs/REFERENCE.md

@@ -366,7 +366,7 @@ required _label_.
 | :-------- | :--------------- | :--------------- | :--------------- | :--------------- | :--------------- |
 | `cookie`  |string|-|Read token value from a cookie.|cannot be used together with `header` or `token_value` |`cookie = "AccessToken"`|
 | `custom_log_fields` | map | - | Defines log fields for [Custom Logging](LOGS.md#custom-logging). | ⚠ Inherited by nested blocks. | - |
-| `header`          |string|-|Read token value from a request header field.|⚠ Implies `Bearer` if `Authorization` (case-insensitive) is used, otherwise any other header name can be used. Cannot be used together with `cookie` or `token_value`.|`header = "Authorization"` |
+| `header`          |string| `Authorization` |Read token value from a request header field.|⚠ Implies `Bearer` if `Authorization` (case-insensitive) is used, otherwise any other header name can be used. Cannot be used together with `cookie` or `token_value`.|`header = "Authorization"` |
 | `token_value` | string | - | expression to obtain the token | cannot be used together with `cookie` or `header` | `token_value = request.form_body.token[0]`|
 | `key`           |string|-|Public key (in PEM format) for `RS*` and `ES*` variants or the secret for `HS*` algorithm.|-|-|
 | `key_file`          |string|-|Optional file reference instead of `key` usage.|-|-|

server/http_integration_test.go

@@ -3199,7 +3199,7 @@ func TestJWTAccessControlSourceConfig(t *testing.T) {
 	log, _ := logrustest.NewNullLogger()
 	ctx := context.TODO()
 
-	expectedMsg := "configuration error: missing-source: token source is invalid"
+	expectedMsg := "configuration error: invalid-source: token source is invalid"
 
 	err = command.NewRun(ctx).Execute([]string{couperConfig.Filename}, couperConfig, log.WithContext(ctx))
 	logErr, _ := err.(errors.GoError)

server/testdata/integration/config/03_couper.hcl

@@ -297,18 +297,15 @@ definitions {
     password = "PWD"
   }
   jwt "JWTToken" {
-    header = "Authorization"
     signature_algorithm = "HS256"
     key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
     beta_scope_claim = "scope"
   }
   jwt "RSAToken" {
-    header = "Authorization"
     signature_algorithm = "RS256"
     key_file = "../files/certificate.pem"
   }
   jwt "RSAToken1" {
-    header = "Authorization"
     signature_algorithm = "RS256"
     key =<<-EOF
         -----BEGIN RSA PUBLIC KEY-----
@@ -337,19 +334,16 @@ definitions {
     EOF
   }
   jwt "RSATokenWrongAlgorithm" {
-    header = "Authorization"
     signature_algorithm = "RS384"
     key_file = "../files/certificate.pem"
   }
   jwt "ECDSAToken" {
-    header = "Authorization"
     signature_algorithm = "ES256"
     key_file = "../files/certificate-ecdsa.pem"
     signing_ttl = "10s"
     signing_key_file = "../files/ecdsa.key"
   }
   jwt "ECDSAToken8" {
-    header = "Authorization"
     signature_algorithm = "ES256"
     key =<<-EOF
         -----BEGIN PUBLIC KEY-----
@@ -359,36 +353,30 @@ definitions {
     EOF
   }
   jwt "ECDSATokenWrongAlgorithm" {
-    header = "Authorization"
     signature_algorithm = "ES384"
     key_file = "../files/certificate-ecdsa.pem"
   }
   jwt "JWKS" {
-    header = "Authorization"
     jwks_url = "file:../files/jwks.json"
   }
   jwt "JWKS_scope" {
-    header = "Authorization"
     jwks_url = "file:../files/jwks.json"
     beta_scope_claim = "scope"
   }
   jwt "JWKSRemote" {
-    header = "Authorization"
     jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
   }
   jwt "JWKS_not_found" {
     header = "Authorization"
     jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/not.found"
   }
   jwt "JWKSBackend" {
-    header = "Authorization"
     jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
     backend {
       origin = env.COUPER_TEST_BACKEND_ADDR
     }
   }
   jwt "JWKSBackendRef" {
-    header = "Authorization"
     jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
     backend = "jwks"
   }

server/testdata/integration/config/05_couper.hcl

@@ -1,6 +1,8 @@
 server "jwt-source" {}
 definitions {
-  jwt "missing-source" {
+  jwt "invalid-source" {
+    header = "foo"
+    cookie = "bar"
     signature_algorithm = "HS256"
     key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   }