Conversation
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
In progress
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Contributor
Author
|
@cwperks Can you check me on this, language, accuracy, and what else you might see? Thanks. |
cwperks
approved these changes
Mar 7, 2023
|
|
||
| ## Time disparity compensation for JSON Web Token validation | ||
|
|
||
| Occasionally you may find that the clock times between the validation server and the OpenSearch node are not perfectly synchronized. When this is the case, even by a few seconds, the system that either issues or receives a JWT may try to validate `nbf` (not before) and `exp` (expiration) claims and fail to authenticate the user due to the time disparity. |
Member
There was a problem hiding this comment.
I have been referring to the system that generates the JWTs as the Authentication server. Upon successful Authentication it generates the token and gives it back to the authenticated user who can then bear the token for subsequent requests. What do you think about authentication server instead of validation server?
Contributor
Author
There was a problem hiding this comment.
I'm with you on that. Thanks. (authentication server)
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
commented
Mar 8, 2023
|
|
||
| ## Time disparity compensation for JSON Web Token validation | ||
|
|
||
| Occasionally you may find that the clock times between the validation server and the OpenSearch node are not perfectly synchronized. When this is the case, even by a few seconds, the system that either issues or receives a JWT may try to validate `nbf` (not before) and `exp` (expiration) claims and fail to authenticate the user due to the time disparity. |
Contributor
Author
There was a problem hiding this comment.
I'm with you on that. Thanks. (authentication server)
Contributor
Author
|
Waiting for availability on doc team review. |
cwillum
added
Doc review
Contributor
Author
|
Waiting for availability on doc team review. |
carolxob
reviewed
Mar 27, 2023
carolxob
reviewed
Mar 27, 2023
carolxob
reviewed
Mar 27, 2023
carolxob
reviewed
Mar 27, 2023
carolxob
approved these changes
Mar 27, 2023
Contributor
carolxob
left a comment
carolxob
left a comment
There was a problem hiding this comment.
LGTM with a few very minor suggestions.
hdhalter
approved these changes
Mar 27, 2023
Contributor
hdhalter
left a comment
hdhalter
left a comment
There was a problem hiding this comment.
Looks good! A couple of minor suggestions.
| The payload of a JSON web token contains the so-called [JWT Claims](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#RegisteredClaimName). A claim can be any piece of information about the user that the application that created the token has verified. | ||
| The payload of a JSON Web Token contains the so-called [JWT Claims](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#RegisteredClaimName). A claim can be any piece of information about the user that the application that created the token has verified. | ||
|
|
||
| The specification defines a set of standard claims with reserved names ("registered claims"). These include, for example, the token issuer, the expiration date, or the creation date. |
Contributor
There was a problem hiding this comment.
When you say 'these include...' do you need to say, 'for example'? Could you just say, 'The standard claims include the token issuer, the expiration date...' or are they examples of reserved names?
Contributor
Author
There was a problem hiding this comment.
These are just examples of the many registered claims that exist. I have rewritten this statement in the hopes of bestowing the claim with a richness of clarity.
Signed-off-by: cwillum <cwmmoore@amazon.com>
natebower
reviewed
Mar 28, 2023
Contributor
natebower
left a comment
natebower
left a comment
There was a problem hiding this comment.
@cwillum Please confirm that JWT is defined on first appearance in each file and that only the acronym is used thereafter. If the first use of an acronym is in a heading, retain the acronym in the heading, and then write out the term in the following body text, followed by the acronym in parentheses. Let me know if you have any questions. Thanks!
Signed-off-by: cwillum <cwmmoore@amazon.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com> (cherry picked from commit 15d324d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3607) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3606) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3605) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3604) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3603) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3602) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
cwillum
pushed a commit
that referenced
this pull request
Mar 28, 2023
…esolves authentication errors (#3251) (#3601) * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew * fix#3220 auth fail from clock skew --------- (cherry picked from commit 15d324d) Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
vagimeli
pushed a commit
that referenced
this pull request
May 4, 2023
…esolves authentication errors (#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com>
harshavamsi
pushed a commit
to harshavamsi/documentation-website
that referenced
this pull request
Oct 31, 2023
…esolves authentication errors (opensearch-project#3251) * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#3220 auth fail from clock skew Signed-off-by: cwillum <cwmmoore@amazon.com> --------- Signed-off-by: cwillum <cwmmoore@amazon.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Security added a new setting to be used for JWT, SAML, and OIDC backend configurations when there is a disparity between clock time between the validation servers and the token causes authentication to fail.
Issues Resolved
Added new documentation to JWT, SAML, and OIDC backend documentation for the new
jwt_clock_skew_tolerance_secondssetting.Fixes #3220
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.