a disable functionality for specific authenticators
1. JWT access token authenticator
We utilize the go-oidc implementation of the ID Token verifier (which we already use for the ID Token authenticator). Additionaly, we perform some local checks to validate whether or not the received request was intended to be validated by the JWT authenticator. If the request was indeed destined for this authenticator then AuthService checks none of the rest of the available authenticators.
The idea is to perform locally the necessary validation for the received access tokens based on the signatures of the JWT access tokens.
Our implementation should meet the following requirements:
Once AuthService receives a JWT access token it has to . Our new authenticator should be able to meet specific requirements. Here we will give a list of specs:
When the JWT Token Authenticator fails, AuthService should perform the following sequence of local checks:
Parse the JWT.
Check that iss / aud match the authenticator.
If one of these local checks fails, this means that the inspected token was not destined for our JWT Token Authenticator, AuthService should return HTTP 301 status and it should check the rest of the available authenticators. However, if these checks were successful this means that AuthService tried the appropriate authenticator and the authentication failed. In this scenario, AuthService will return HTTP 401 and will not try out any other authenticator.
If the JWT access token is expired, then:
the authenticator should return an HTTP 401
the authenticator should not check the rest of the available authenticators
If the JWT access token has an invalid signature (sig), then
the authenticator should return an HTTP 401
the authenticator should not check the rest of the available authenticators
If the JWT access token is malformed, then our authenticator should fail to authenticate the request and AuthService should try out the next available authenticator.
Ιf AuthService can not retrieve neither the User ID nor the groups claim from the JWT access token, it should return HTTP 401 status and not try out the rest of the authenticators.
AuthService should only accept valid JWT access tokens.
2. Disable Authenticators
We now allow the admins to disable the authenticator that they do not need for their use-case. They can disable either-one of the following authenticators:
"idtoken authenticator": they can set the new IDTOKEN_AUTHN_ENABLED envvar to false
"JWT access token authenticator": they can set the new JWT_AUTHN_ENABLED envvar to false
"kubernetes authenticator" : they can set the new KUBERNETES_AUTHN_ENABLED envvar to false
This functionality can benefit the users in scenarios where the identities to be authenticated do not correspond to one of the authenticators. For example, there are installation where no Kubernetes identities are being authenticated. In this case, the Kubernetes authenticator simply adds unnecessary authentication overhead.
Description of your changes
For the first part, we have added some unit-tests for the helper functions that our new authenticator is using.
For the second part, OIDC AuthService can be configured to skip a particular authentication method via the following configurations:
Setting
Default
Description
IDTOKEN_AUTHN_ENABLED
true
Set IDTOKEN_AUTHN_ENABLED to false to disable the ID token authentication method.
JWT_AUTHN_ENABLED
true
Set JWT_AUTHN_ENABLED to false to disable the JWT access token authentication method.
KUBERNETES_AUTHN_ENABLED
true
Set Kubernetes_AUTHN_ENABLED to false to disable the Kubernetes authentication method.
Requirements:
We have tested the above with PingID as the integrated Identity Provider
In this PR, we introduce:
1. JWT access token authenticator
We utilize the
go-oidcimplementation of the ID Token verifier (which we already use for the ID Token authenticator). Additionaly, we perform some local checks to validate whether or not the received request was intended to be validated by the JWT authenticator. If the request was indeed destined for this authenticator then AuthService checks none of the rest of the available authenticators.The idea is to perform locally the necessary validation for the received access tokens based on the signatures of the JWT access tokens.
Our implementation should meet the following requirements: Once AuthService receives a JWT access token it has to . Our new authenticator should be able to meet specific requirements. Here we will give a list of specs:
When the JWT Token Authenticator fails, AuthService should perform the following sequence of local checks:
iss/audmatch the authenticator.If one of these local checks fails, this means that the inspected token was not destined for our JWT Token Authenticator, AuthService should return
HTTP 301status and it should check the rest of the available authenticators. However, if these checks were successful this means that AuthService tried the appropriate authenticator and the authentication failed. In this scenario, AuthService will returnHTTP 401and will not try out any other authenticator.HTTP 401sig), thenHTTP 401User IDnor thegroupsclaim from the JWT access token, it should returnHTTP 401status and not try out the rest of the authenticators.2. Disable Authenticators
We now allow the admins to disable the authenticator that they do not need for their use-case. They can disable either-one of the following authenticators:
IDTOKEN_AUTHN_ENABLEDenvvar tofalseJWT_AUTHN_ENABLEDenvvar tofalseKUBERNETES_AUTHN_ENABLEDenvvar tofalseThis functionality can benefit the users in scenarios where the identities to be authenticated do not correspond to one of the authenticators. For example, there are installation where no Kubernetes identities are being authenticated. In this case, the Kubernetes authenticator simply adds unnecessary authentication overhead.
Description of your changes
IDTOKEN_AUTHN_ENABLEDtrueIDTOKEN_AUTHN_ENABLEDtofalseto disable the ID token authentication method.JWT_AUTHN_ENABLEDtrueJWT_AUTHN_ENABLEDtofalseto disable the JWT access token authentication method.KUBERNETES_AUTHN_ENABLEDtrueKubernetes_AUTHN_ENABLEDtofalseto disable the Kubernetes authentication method.Requirements: