Support for mutil-value audience claims in JWT token #13490
Conversation
|
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: rstyp.
|
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
|
||
| public class JwtAuthenticator | ||
| extends AbstractBearerAuthenticator | ||
| { | ||
| private final JwtParser jwtParser; | ||
| private final String principalField; | ||
| private final UserMapping userMapping; | ||
| private final String requiredAudience; |
There was a problem hiding this comment.
Typically we use Optional for values that can have null.
There was a problem hiding this comment.
@lukasz-walkiewicz changed it to Optional
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
@rstyp Please sign CLA. See instructions from cla-bot. |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
@lukasz-walkiewicz CLA is signed now. |
There was a problem hiding this comment.
Sorry for the delay @rstyp. Looks good, just a couple of minor comments.
| @@ -71,6 +75,32 @@ protected Optional<Identity> createIdentity(String token) | |||
| .build()); | |||
| } | |||
|
|
|||
| private void validateAudience(Claims claims) | |||
| { | |||
| Object tokenAudience = claims.get(AUDIENCE); | |||
There was a problem hiding this comment.
change order, if requiredAudience is empty then getting audience from claims is redundant
| @@ -538,6 +552,34 @@ public void testJwtWithJwkAuthenticator() | |||
| } | |||
| } | |||
|
|
|||
| @Test | |||
| public void testJwtAuthenticatorWithInvalidAudience() | |||
There was a problem hiding this comment.
I think we're missing a test with empty audience and without http-server.authentication.jwt.required-audience specified.
|
Thank you @lukasz-walkiewicz |
|
CI hit: #12818 |
|
CI hit: #13288 |
|
Merged, thanks |
Description
requiredAudiencevalidation fails ifaudclaim contains multiple audiences in JWT token.jwtParser.requireAudience(config.getRequiredAudience());to not to validateaudduringparseClaimsJws.validateAudiencemethod and call it fromcreateIdentitya fix
JWT Authentication
Support for mutil-value audience claims in JWT token
Related issues, pull requests, and links
#13442
Documentation
( *) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
( ) No release notes entries required.
( ) Release notes entries required with the following suggested text: