-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix bug determining jwt validity due to incorrect computation of system timestamp and provide configuration option to allow for timely slack in token validity #10753
Changes from 2 commits
488f1ae
4b973ea
6d27fff
c2f082c
e1f734e
0fc50c9
e1c7689
662d7d9
829a14a
f45601f
da966bb
0ce07e5
056b6fc
abf60db
39e6dc0
3263dbe
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,8 @@ | |
#include "jwt_verify_lib/check_audience.h" | ||
#include "jwt_verify_lib/status.h" | ||
|
||
#include "absl/time/clock.h" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we have any regression or unit/integration tests for this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Tests? Jeeze. What roughnecked thinking. No, seriously. This is my first contribution here and I wasn't actually planning on going through by myself. Anyways, I don't mind at all doing it but need to get set up with a proper build environment to do real work. The coming weekend seems a good time to do so. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah heck, here I am working already. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This header is not needed any more. please remove it |
||
|
||
namespace Envoy { | ||
namespace Extensions { | ||
namespace HttpFilters { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am fine with change to use absl::ToUnixSeconds(absl::Now()).
But I don't like "- 5" part, it seems like a hack to solve your particular problem
BTW, even you passed this check, there is another check in verifyJwt which is calling this code here
https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc#L163
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The specific amount of slack is debatable. However, I don't think there is any doubt that there is a general need for some slack. Whatever part of an authn system (be it AWS ALB or https://istio.io/blog/2019/app-identity-and-access-adapter/) that refreshes access tokens has to check if the current token is still valid. Finally, istio-proxy validates the token again and the time between these two validation events is the time needed as slack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we make the amount configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I like this idea. Let us make it configurable from filter config. Please see my other comments.