a disable functionality for specific authenticators
1. JWT access token authenticator
We utilize the go-oidc implementation of the ID Token verifier (which we already use for the ID Token authenticator). Additionaly, we perform some local checks to validate whether or not the received request was intended to be validated by the JWT authenticator. If the request was indeed destined for this authenticator then AuthService checks none of the rest of the available authenticators.
The idea is to perform locally the necessary validation for the received access tokens based on the signatures of the JWT access tokens.
Our implementation should meet the following requirements:
Once AuthService receives a JWT access token it has to . Our new authenticator should be able to meet specific requirements. Here we will give a list of specs:
When the JWT Token Authenticator fails, AuthService should perform the following sequence of local checks:
Parse the JWT.
Check that iss / aud match the authenticator.
If one of these local checks fails, this means that the inspected token was not destined for our JWT Token Authenticator, AuthService should return HTTP 301 status and it should check the rest of the available authenticators. However, if these checks were successful this means that AuthService tried the appropriate authenticator and the authentication failed. In this scenario, AuthService will return HTTP 401 and will not try out any other authenticator.
If the JWT access token is expired, then:
the authenticator should return an HTTP 401
the authenticator should not check the rest of the available authenticators
If the JWT access token has an invalid signature (sig), then
the authenticator should return an HTTP 401
the authenticator should not check the rest of the available authenticators
If the JWT access token is malformed, then our authenticator should fail to authenticate the request and AuthService should try out the next available authenticator.
Ιf AuthService can not retrieve neither the User ID nor the groups claim from the JWT access token, it should return HTTP 401 status and not try out the rest of the authenticators.
AuthService should only accept valid JWT access tokens.
2. Disable Authenticators
We now allow the admins to disable the authenticator that they do not need for their use-case. They can disable either-one of the following authenticators:
"idtoken authenticator": they can set the new IDTOKEN_AUTHN_ENABLED envvar to false
"JWT access token authenticator": they can set the new JWT_AUTHN_ENABLED envvar to false
"kubernetes authenticator" : they can set the new KUBERNETES_AUTHN_ENABLED envvar to false
This functionality can benefit the users in scenarios where the identities to be authenticated do not correspond to one of the authenticators. For example, there are installation where no Kubernetes identities are being authenticated. In this case, the Kubernetes authenticator simply adds unnecessary authentication overhead.
Description of your changes
For the first part, we have added some unit-tests for the helper functions that our new authenticator is using.
For the second part, OIDC AuthService can be configured to skip a particular authentication method via the following configurations:
Setting
Default
Description
IDTOKEN_AUTHN_ENABLED
true
Set IDTOKEN_AUTHN_ENABLED to false to disable the ID token authentication method.
JWT_AUTHN_ENABLED
true
Set JWT_AUTHN_ENABLED to false to disable the JWT access token authentication method.
KUBERNETES_AUTHN_ENABLED
true
Set Kubernetes_AUTHN_ENABLED to false to disable the Kubernetes authentication method.
Requirements:
We have tested the above with PingID as the integrated Identity Provider
In this PR, we introduce:
1. JWT access token authenticator
We utilize the
go-oidc
implementation of the ID Token verifier (which we already use for the ID Token authenticator). Additionaly, we perform some local checks to validate whether or not the received request was intended to be validated by the JWT authenticator. If the request was indeed destined for this authenticator then AuthService checks none of the rest of the available authenticators.The idea is to perform locally the necessary validation for the received access tokens based on the signatures of the JWT access tokens.
Our implementation should meet the following requirements: Once AuthService receives a JWT access token it has to . Our new authenticator should be able to meet specific requirements. Here we will give a list of specs:
When the JWT Token Authenticator fails, AuthService should perform the following sequence of local checks:
iss
/aud
match the authenticator.If one of these local checks fails, this means that the inspected token was not destined for our JWT Token Authenticator, AuthService should return
HTTP 301
status and it should check the rest of the available authenticators. However, if these checks were successful this means that AuthService tried the appropriate authenticator and the authentication failed. In this scenario, AuthService will returnHTTP 401
and will not try out any other authenticator.HTTP 401
sig
), thenHTTP 401
User ID
nor thegroups
claim from the JWT access token, it should returnHTTP 401
status and not try out the rest of the authenticators.2. Disable Authenticators
We now allow the admins to disable the authenticator that they do not need for their use-case. They can disable either-one of the following authenticators:
IDTOKEN_AUTHN_ENABLED
envvar tofalse
JWT_AUTHN_ENABLED
envvar tofalse
KUBERNETES_AUTHN_ENABLED
envvar tofalse
This functionality can benefit the users in scenarios where the identities to be authenticated do not correspond to one of the authenticators. For example, there are installation where no Kubernetes identities are being authenticated. In this case, the Kubernetes authenticator simply adds unnecessary authentication overhead.
Description of your changes
IDTOKEN_AUTHN_ENABLED
true
IDTOKEN_AUTHN_ENABLED
tofalse
to disable the ID token authentication method.JWT_AUTHN_ENABLED
true
JWT_AUTHN_ENABLED
tofalse
to disable the JWT access token authentication method.KUBERNETES_AUTHN_ENABLED
true
Kubernetes_AUTHN_ENABLED
tofalse
to disable the Kubernetes authentication method.Requirements: