Use OIDC IDP URL (jwt_jwks_url) to fetch and refresh JKWS #23034
Assignees
Labels
area/ysql
Yugabyte SQL (YSQL)
jira-originated
kind/new-feature
This is a request for a completely new feature
priority/high
High Priority
Comments
yugabyte-ci
added
area/ysql
yugabyte-ci
changed the title
yugabyte-ci
changed the title
utkarsh-um-yb
added a commit
that referenced
this issue
Jul 16, 2024
…nd refresh JKWS Summary: Added support for jwt_jwks_url in JWT Authentication to fetch and refresh JWKS from url. **Configuration** In ysql_hba_conf_csv with method jwt can provide jwt_jwks_url to pass the url. Atleast one of the jwt_jwks_path or jwt_jwks_url must be provided, if both are provided then jwt_jwks_url will be used. **Fetching** Implementation is as follows: 1. Fetches the keys from url using libcurl (EasyCurl implentation) 2. The keys are used for authentication in a similar fashion as with jwt_jwks_path JIRA: DB-11962 Test Plan: **Automated** ./yb_build.sh --java-test 'org.yb.pgsql.TestJWTAuth' Added similar tests as jwt_jwks_path, to check for valid url, json, and authentication. Also added checks for invalid url and invalid json. Reviewers: stiwary, skumar Reviewed By: stiwary Subscribers: yql Differential Revision: https://phorge.dev.yugabyte.com/D36468
jasonyb
pushed a commit
that referenced
this issue
Jul 17, 2024
Summary: cc63aaf [docs] updates to diagnostics report page (#23162) Excluded: 1773ae2 [#22937] docdb: Backward scans: make pggate be aware of fast backward scan capability 39c6228 [PLAT-12732] toggle tls and cert rotation v2 apis d7cf125 [PLAT-14539][xCluster] need_bootstrap API does not work for old universes 65232ff [PLAT-14654]: Volume Size does not increase when ULTRA storage type is selected 4b39933 [PLAT-14606]: Disable options to ensure shrinking the RF is not permitted edit universe scenario 98d3fed [#23182] YSQL: Fix upgrade test failure when using 2.20.3.1 snapshot Excluded: 19ab966 [#22902] YSQL: Add support for dropping a key column 835e30d [#22479] docdb: Pass epoch through DB cloning calls 3273e9b [#21789] docdb: Add tablet splitting support for clone 52f7e79 [#23064] YSQL: pg_partman: disable p_retention_schema parameter 66ed3a5 [#23197] YSQL: pg_partman: Disable Gist index creation 3996f55 [YNP][PLAT-14664] make node register to provider idempotent Excluded: 6ec058d [PLAT-14668] - Move YSQL/YCQL configuration RBAC check to universe actions level and integrate RBAC for PG Compatibility Excluded: 18bb9b8 [#23034] YSQL: Add Support for OIDC IDP URL (jwt_jwks_url) to fetch and refresh JKWS 68cb1d2 [PLAT-14675][YNP] Fix the formatting for preflight checks db445ce [PLAT-14471][PLAT-14576] Added configurable deadline, keepAlive and unavailable retries to Ybc Java client Excluded: 47da28c [#23192] YSQL: Simplify/cleanup code in PgDml/PgSelect/PgSelectIndex etc Excluded: 1bc7a50 fix : gflag group toggle issue Test Plan: Jenkins: rebase: pg15-cherrypicks Reviewers: jason, tfoucher Tags: #jenkins-ready Differential Revision: https://phorge.dev.yugabyte.com/D36624
utkarsh-um-yb
added a commit
that referenced
this issue
Jul 19, 2024
…ks_url) to fetch and refresh JKWS Summary: Added support for jwt_jwks_url in JWT Authentication to fetch and refresh JWKS from url. **Configuration** In ysql_hba_conf_csv with method jwt can provide jwt_jwks_url to pass the url. Atleast one of the jwt_jwks_path or jwt_jwks_url must be provided, if both are provided then jwt_jwks_url will be used. **Fetching** Implementation is as follows: 1. Fetches the keys from url using libcurl (EasyCurl implentation) 2. The keys are used for authentication in a similar fashion as with jwt_jwks_path JIRA: DB-11962 - src/postgres/src/backend/libpq/hba.c: -- parse_hba_line: --- pg upstream commit 55782d5 changed the way of **Verify length of option lists**, but this was not changed in the master branch, so caused a conflict with master commit 18bb9b8, resolved by keeping the changes of pg15 upstream branch. -- gethba_options: --- 18bb9b8 makes changes to gethba_options, but that function was moved by upstream d4781d8873f8c3fc8b0957cc03ce91627576cf36 into hbafuncs.c, so applied the changes there. Test Plan: **Automated** ./yb_build.sh --java-test 'org.yb.pgsql.TestJWTAuth' Added similar tests as jwt_jwks_path, to check for valid url, json, and authentication. Also added checks for invalid url and invalid json. Reviewers: jason, tfoucher Reviewed By: jason Subscribers: yql Differential Revision: https://phorge.dev.yugabyte.com/D36649
utkarsh-um-yb
added a commit
that referenced
this issue
Aug 14, 2024
…s_url) to fetch and refresh JKWS Summary: Added support for jwt_jwks_url in JWT Authentication to fetch and refresh JWKS from url. **Configuration** In ysql_hba_conf_csv with method jwt can provide jwt_jwks_url to pass the url. Atleast one of the jwt_jwks_path or jwt_jwks_url must be provided, if both are provided then jwt_jwks_url will be used. **Fetching** Implementation is as follows: 1. Fetches the keys from url using libcurl (EasyCurl implentation) 2. The keys are used for authentication in a similar fashion as with jwt_jwks_path JIRA: DB-11962 Original commit: 18bb9b8 / D36468 Test Plan: **Automated** ./yb_build.sh --java-test 'org.yb.pgsql.TestJWTAuth' Added similar tests as jwt_jwks_path, to check for valid url, json, and authentication. Also added checks for invalid url and invalid json. Reviewers: stiwary, skumar Reviewed By: stiwary Subscribers: yql Tags: #jenkins-ready Differential Revision: https://phorge.dev.yugabyte.com/D37225
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jira Link: DB-11962
The text was updated successfully, but these errors were encountered: