Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RawTokenKeyProvider #2420

Merged
merged 2 commits into from
Feb 1, 2022
Merged

Add RawTokenKeyProvider #2420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc79ebf
Add RawTokenKeyProvider
wenerme Jan 26, 2022
63701a5
Update token_key_provider.go
sergeybykov Jan 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 28 additions & 16 deletions common/authorization/default_jwt_claim_mapper.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
package authorization

import (
"context"
"fmt"
"strings"

Expand Down Expand Up @@ -131,25 +132,36 @@ func parseJWT(tokenString string, keyProvider TokenKeyProvider) (jwt.MapClaims,
func parseJWTWithAudience(tokenString string, keyProvider TokenKeyProvider, audience string) (jwt.MapClaims, error) {

parser := jwt.NewParser(jwt.WithValidMethods(keyProvider.SupportedMethods()))
token, err := parser.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {

kid, ok := token.Header["kid"].(string)
if !ok {
return nil, fmt.Errorf("malformed token - no \"kid\" header")
var keyFunc jwt.Keyfunc
if provider, _ := keyProvider.(RawTokenKeyProvider); provider != nil {
keyFunc = func(token *jwt.Token) (interface{}, error) {
// reserve context
// impl may introduce network request to get public key
return provider.GetKey(context.Background(), token)
}
alg := token.Header["alg"].(string)
switch token.Method.(type) {
case *jwt.SigningMethodHMAC:
return keyProvider.HmacKey(alg, kid)
case *jwt.SigningMethodRSA:
return keyProvider.RsaKey(alg, kid)
case *jwt.SigningMethodECDSA:
return keyProvider.EcdsaKey(alg, kid)
default:
return nil, serviceerror.NewPermissionDenied(
fmt.Sprintf("unexpected signing method: %v for algorithm: %v", token.Method, token.Header["alg"]), "")
} else {
keyFunc = func(token *jwt.Token) (interface{}, error) {
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, fmt.Errorf("malformed token - no \"kid\" header")
}
alg := token.Header["alg"].(string)
switch token.Method.(type) {
case *jwt.SigningMethodHMAC:
return keyProvider.HmacKey(alg, kid)
case *jwt.SigningMethodRSA:
return keyProvider.RsaKey(alg, kid)
case *jwt.SigningMethodECDSA:
return keyProvider.EcdsaKey(alg, kid)
default:
return nil, serviceerror.NewPermissionDenied(
fmt.Sprintf("unexpected signing method: %v for algorithm: %v", token.Method, token.Header["alg"]), "")
}
}
})
}

token, err := parser.Parse(tokenString, keyFunc)

if err != nil {
return nil, err
Expand Down
10 changes: 10 additions & 0 deletions common/authorization/token_key_provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,11 @@
package authorization

import (
"context"
"crypto/ecdsa"
"crypto/rsa"

"github.com/golang-jwt/jwt/v4"
)

// @@@SNIPSTART temporal-common-authorization-tokenkeyprovider-interface
Expand All @@ -39,4 +42,11 @@ type TokenKeyProvider interface {
Close()
}

// RawTokenKeyProvider is a TokenKeyProvider that provides keys for validating JWT tokens
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to add comments that this is an optional alternative version of token key provider. However, if provider implements this interface, it will take precedent and shadow the implementation of TokenKeyProvider and be used to validate JWT token.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If RawTokenKeyProvider is a TokenKeyProvider, shall we embed TokenKeyProvider inside RawTokenKeyProvider interface and only specify additional methods?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine as it is and there's no need to add TokenKeyProvider methods to RawTokenKeyProvider.

type RawTokenKeyProvider interface {
GetKey(ctx context.Context, token *jwt.Token) (interface{}, error)
SupportedMethods() []string
Close()
}

// @@@SNIPEND