-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(model-server): make specifying a key ID optional #1039
Conversation
Test Results 179 files 179 suites 23m 52s ⏱️ Results for commit 069ee0b. ♻️ This comment has been updated with latest results. |
e678ba8
to
87d0a1a
Compare
The build is broken because of new bug in Redocly. |
87d0a1a
to
df38491
Compare
JVM coverage report
|
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt
Fixed
Show fixed
Hide fixed
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt
Fixed
Show fixed
Hide fixed
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt
Fixed
Show fixed
Hide fixed
1fa7789
to
837d64f
Compare
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt
Fixed
Show fixed
Hide fixed
837d64f
to
d5457d5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not totally confident on the configuration changes, which are pretty hard to understand given the already existing complexity. Here's just my two cents of things I found while reading.
model-server/src/test/kotlin/org/modelix/model/server/AuthorizationTest.kt
Show resolved
Hide resolved
model-server/src/test/kotlin/org/modelix/model/server/AuthorizationTest.kt
Outdated
Show resolved
Hide resolved
model-server/src/test/kotlin/org/modelix/model/server/AuthorizationTest.kt
Outdated
Show resolved
Hide resolved
model-server/src/test/kotlin/org/modelix/model/server/AuthorizationTest.kt
Outdated
Show resolved
Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt
Outdated
Show resolved
Hide resolved
d5457d5
to
026cd78
Compare
If no static key ID is configured, then the key ID specified in the JWT is used to verify the token. The key is looked up at the JWK URL with the key ID from the token. This is a fix because it restores functionality that accidentally broke in version 8.14.0.
The logic determining the verifier was a duplicate of the logic used in the additional validation. The logic from the validation (aka `ModelixAuthorizationConfig,nullIfInvalid`) is also used elsewhere. For example, it is used in the workspaces through the modelix-authorization lib. So it was reused in a custom verifier. Calling `ModelixAuthorizationConfig.nullIfInvalid` again in `validate` is redundant. It is now only used to create a custom principal object.
026cd78
to
069ee0b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested modelix.kubernetes with these changes.
🎉 This PR is included in version 9.1.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
If no static key ID is configured, then the key ID specified in the JWT is used to verify the token. The key is looked up at the JWK URL with the key ID from the token.
This is a fix because it restores functionality that accidentally broke in version 8.14.0.
To be verified by reviewers