Workload ID: Add Auth Server JWT SVID support #46968
Conversation
strideynet
added
backport/branch/v16
no-changelog
| } | ||
|
|
||
| // Create a JTI to uniquely identify this JWT for audit logging purposes | ||
| jti, err = utils.CryptoRandomHex(jtiLength) |
There was a problem hiding this comment.
Is the jti recommended to be just a random hex string rather than something like a UUID?
There was a problem hiding this comment.
As far as i'm aware within SPIFFE, there's no real requirement for it to take any specific form. I'd be open to switching it to a UUID if there's some advantage I'm not seeing.
There was a problem hiding this comment.
It prompted me to check the JWT spec and this is what I found in the RFC 7519, pasting for reference:
The "jti" (JWT ID) claim provides a unique identifier for the JWT.
The identifier value MUST be assigned in a manner that ensures that
there is a negligible probability that the same value will be
accidentally assigned to a different data object; if the application
uses multiple issuers, collisions MUST be prevented among values
produced by different issuers as well. The "jti" claim can be used
to prevent the JWT from being replayed
| @@ -213,7 +227,7 @@ func (wis *WorkloadIdentityService) signX509SVID( | |||
| // Setup audit log event, we will emit these even on failure to catch any | |||
| // authz denials | |||
| var serialNumber *big.Int | |||
| var spiffeID *url.URL | |||
| var spiffeID spiffeid.ID | |||
There was a problem hiding this comment.
it took me a while to build mental modal on spiffeID vs. spiffeid. Maybe if we can alias the imported one as gospiffe?
| } | ||
|
|
||
| // Create a JTI to uniquely identify this JWT for audit logging purposes | ||
| jti, err = utils.CryptoRandomHex(jtiLength) |
There was a problem hiding this comment.
It prompted me to check the JWT spec and this is what I found in the RFC 7519, pasting for reference:
The "jti" (JWT ID) claim provides a unique identifier for the JWT.
The identifier value MUST be assigned in a manner that ensures that
there is a negligible probability that the same value will be
accidentally assigned to a different data object; if the application
uses multiple issuers, collisions MUST be prevented among values
produced by different issuers as well. The "jti" claim can be used
to prevent the JWT from being replayed
public-teleport-github-review-bot
bot
removed the request for review
from timothyb89
Co-authored-by: Sakshyam Shah <sshah@goteleport.com>
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
@strideynet See the table below for backport results.
|
* Add new event fields * Add gRPC API for requesting JWT SVIDs * Add JWT helper for creating JWT SVID * Add WorkloadIdentityService implementation for issuing JWT svids * Fix spelling of compatibility * Use single time to calculate both expiry and iat * Update api/proto/teleport/legacy/types/events/events.proto Co-authored-by: Sakshyam Shah <sshah@goteleport.com> * Regenerate protos --------- Co-authored-by: Sakshyam Shah <sshah@goteleport.com>
* Workload ID: Add Auth Server JWT SVID support (#46968) * Add new event fields * Add gRPC API for requesting JWT SVIDs * Add JWT helper for creating JWT SVID * Add WorkloadIdentityService implementation for issuing JWT svids * Fix spelling of compatibility * Use single time to calculate both expiry and iat * Update api/proto/teleport/legacy/types/events/events.proto Co-authored-by: Sakshyam Shah <sshah@goteleport.com> * Regenerate protos --------- Co-authored-by: Sakshyam Shah <sshah@goteleport.com> * Fix backport * Fix tests --------- Co-authored-by: Sakshyam Shah <sshah@goteleport.com>
Adds the appropriate RPCs to the Auth Server to support the issuance of JWT SPIFFE SVIDs.
The next PR will add support for these within
tbot.Part of #38930