feat(jans-cedarling): implement CEDARLING_ID_TOKEN_TRUST_MODE #10585
Conversation
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
mo-auto
added
the
area-documentation
| Strict, | ||
| } | ||
|
|
||
| impl FromStr for IdTokenTrustMode { |
There was a problem hiding this comment.
This is not used anywhere?
There was a problem hiding this comment.
sorry about that, must've missed it since rustanalyzer isn't complaining. removed in 9e964d4
| jwt::{Token, TokenClaimTypeError}, | ||
| }; | ||
|
|
||
| pub fn enforce_id_tkn_trust_mode(tokens: &DecodedTokens) -> Result<(), IdTokenTrustModeError> { |
There was a problem hiding this comment.
Please write a small description for at least public functions
There was a problem hiding this comment.
added a docstring that describes what the function does here: 4208d86
| jwt::{Token, TokenClaimTypeError}, | ||
| }; | ||
|
|
||
| pub fn enforce_id_tkn_trust_mode(tokens: &DecodedTokens) -> Result<(), IdTokenTrustModeError> { |
There was a problem hiding this comment.
maybe you can have something more descriptive by renaming this function to validate_id_token_trust_mode, but it's up to you
There was a problem hiding this comment.
that might be a better name. renamed the function here: ff0c60e
| #[derive(Debug, thiserror::Error)] | ||
| pub enum IdTokenTrustModeError { | ||
| #[error("the access token's `client_id` does not match with the id token's `aud`")] | ||
| ClientIdIdTokenAudMismatch, |
There was a problem hiding this comment.
maybe you can rename this one to AccessTokenClientIdMismatch to avoid some typing error
There was a problem hiding this comment.
renamed here 2195d90
| fn get_tkn_claim_as_str( | ||
| token: &Token, | ||
| claim_name: &str, | ||
| ) -> Result<Box<str>, IdTokenTrustModeError> { | ||
| let claim = token | ||
| .get_claim(claim_name) | ||
| .ok_or(IdTokenTrustModeError::MissingRequiredClaim( | ||
| claim_name.to_string(), | ||
| token.kind, | ||
| ))?; | ||
| let claim_str = claim | ||
| .as_str() | ||
| .map_err(|e| IdTokenTrustModeError::TokenClaimTypeError(token.kind, e))?; | ||
| Ok(claim_str.into()) | ||
| } |
There was a problem hiding this comment.
You can simplify this function by
fn get_tkn_claim_as_str(
token: &Token,
claim_name: &str,
) -> Result<Box<str>, IdTokenTrustModeError> {
token
.get_claim(claim_name)
.ok_or_else(|| IdTokenTrustModeError::MissingRequiredClaim(claim_name.to_string(), token.kind))
.and_then(|claim| claim.as_str()
.map(|s| s.into())
.map_err(|e| IdTokenTrustModeError::TokenClaimTypeError(token.kind, e)))
}
There was a problem hiding this comment.
I think that is less readable... but I think can get used to it so i changed it here fdda12e
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
- rename enforce_id_tkn_trust_mode to validate_id_tkn_trust_mode Signed-off-by: rmarinn <[email protected]>
- rename ClientIdIdTokenAudMismatch to AccessTokenClientIdMismatch Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Prepare
Description
This PR implements ID token trust mode which can be set via the
CEDARLING_ID_TOKEN_TRUST_MODEbootstrap property. The trust mode implements additional checks done on the input token's claims. This PR introduces two modes:NoneandStrict(more info below).Target issue
target issue: #10479
closes: #10479
Implementation Details
NoneModeNo additional validations checks on the tokens are implemented.
StrictModeid_token.audmust match theaccess_token.client_id.submust match theid_token.sub.audmust match theaccess_token.client_id.Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.