Support user defined jwt auth and sdk functions #405
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
jairad26
changed the title
jairad26
changed the title
jairad26
changed the title
|
Just a note about the prod workflow comment:
That's fine for now, but we'll want to change this soon when we add endpoint configuration to the manifest, such that if an endpoint is configured for authentication, and it's running in a non-dev environment without keys supplied, that we log a fatal error and exit - because such a configuration should not be allowed. Alternatively, we could not exit, but just not start that endpoint. We'll have to see which makes the most sense. |
|
Also a note about:
Agreed. And this should already be mitigated by #439 |
mattjohnsonpint
requested changes
Oct 9, 2024
mattjohnsonpint
approved these changes
Oct 10, 2024
jairad26
deleted the
jai/hyp-2019-pass-jwt-auth-claims-to-functions-via-env-vars
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds jwt auth support for the modus runtime. This works by specifying a golang deserializable map of RSA PEMs as environment variables, named
MODUS_RSA_PEMS. When available, the runtime will force any incoming api request to be verified by one of the specified RSA keys. Then the claims from the jwt are stored in the environment variables, to be accessed by the user via sdk functions. However, the dev and production flows are different.Dev Flow
If in Dev mode, and no RSA keys are provided, but a JWT is provided, we will assume the user is attempting to test their jwt claims, without going through the process of verification & refreshing the tokens (however if this turns out to be a problem we can remove this functionality easily). Therefore we will run a ParseUnverified. to retrieve the claims and store.
WARNING: Please do not run your runtime in dev mode in a production environment.
Prod Flow
If in Prod mode, and no RSA keys are provided, no matter what the request will be allowed through, and the JWT will NOT be stored.
SDK Functions
the user is provided with
auth.GetJWTClaims<T>as the function to retrieve the claims. It allows the user to pass in structure to deserialize the claims json string into, or just pass string for T to get the raw claims string.