search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

prevent invalid JWKs in StaticJwksResolver #170

Closed Shikugawa closed 3 years ago

Shikugawa commented 3 years ago

Signed-off-by: Shikugawa Shikugawa@gmail.com

In previous implementation, invalid JWKs will be accepted in StaticJwksResolver. With this PR, it will throw exception if invalid JWKs are passed through configuration.

incfly commented 3 years ago

thanks for the change. So if the users are setting up the invalid static jwks, what are the behavior different before and after this PR? Before I think authservice will start successfully but fails as the jwt id token verification. how will it look like after this PR?

Shikugawa commented 3 years ago

thanks for the change. So if the users are setting up the invalid static jwks, what are the behavior different before and after this PR? Before I think authservice will start successfully but fails as the jwt id token verification. how will it look like after this PR?

Yes. In previous code, if the user passed invalid JWKs then failed to verify token. But it is very odd behavior. We should assert users the JWKs are invalid.

istio-testing commented 3 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incfly, Shikugawa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/istio-ecosystem/authservice/blob/master/OWNERS)~~ [incfly] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment