JWKS JWT validation #6
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rubiojr
force-pushed
the
jwks
branch
2 times, most recently
from
a4c4e1f to
09f9704
Compare
Grabs the issuer after parsing the token and tries to verify it using the issuer's well known JWKS.
Use docker-compose instead to run a charm server.
* Relax the security section a bit * Mention the new server flags and remove old ones
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tavern JWT tokens
Charm can now mint1 JWT tokens with a custom audience that can be used to validate2 the user publishing to a Tavern server has access to a given Charm server, without giving the Tavern server access to other Charm server resources, a simple proof the Tavern server can use to check the Tavern client trying to publish can access a Charm server (any Charm server).
The
--allowed-charm-serversserver flag implemented also here (see below), complements this to only allow clients from a given Charm server to publish filies, if specified.This improves security when using trusted Tavern clients (i.e. the one you downloaded from this repo) with untrusted Tavern servers hosted by third party.
In practical terms, the Tavern client now asks the Charm server to mint a new JWT token with a
tavernaudience, and that JWT token is sent to the Tavern server that verifies the token is a valid token issued by that Charm server (encoded in the JWT). The Charm server only grants clients with acharmaudience access its resources, so the untrusted Tavern server can't use that JWT token sent by the Tavern client to access any Charm server resources as a result.For example, a JWT token with a
tavernaudience can't be used to list CharmFS files:Using a trusted Tavern client is of paramount importance of course, as a rogue Tavern client could mint tokens with a
charmaudience, granting the Tavern server unlimited access to the Charm server.This feature currently requires an unreleased Charm server version.
Charm server allow list
Added a Charm server allow list argument to specify which Charm servers can be used to publish on a given Tavern server, by specifying the Charm server FQDNs allowed, so you can allow publishing users of your own Charm server for example:
Multiple servers can be allowed repeating the
--allowed-charm-serversflag.By default, any user from any Charm server can publish.
Massive props ⚡ and thanks to @toby and the Charm fellas who worked with me to make this possible.
Footnotes
Charm PR introducing JWT custom audiences ↩
JWKS validation ↩