-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure Non-Empty JWT Bundles Before Adding to FetchJWTBundles Response #5031
Conversation
Thanks for opening this, @maxlambrecht! One concern with omitting the bundle from the map completely is that this situation becomes ambiguous with a situation where there is no federation relationship set up with the other trust domain at all. This can complicate debugging. Before we consider taking this change, and potentially impacting debuggability, can you give more details on how you've seen clients fail in this scenario? Was it because the JWKS contained a keys field with a null value (e.g. |
Yes, the issue arises because the JWKS contains a keys field with a null value, Given this, should we consider updating the client's behavior to treat a null keys value as a valid set of keys? I believe a similar issue might be present in libraries such as |
Go doesn't have this problem. It follows the JSON standard and can successfully unmarshal However, if we're worried about other languages failing to treat |
Thanks for the clarification on Go's handling of |
Thank you @maxlambrecht ! |
I've updated the Python library to gracefully handle both {"keys": null} and {"keys": []} scenarios. However, the Java and Rust SPIFFE libraries currently do not support {"keys": null} but can handle {"keys": []} without issue. Adopting your suggestion to return |
Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
ab2d62b
to
2c30600
Compare
I've implemented the proposed changes to include a JSON object with an empty array |
Pull Request check list
Affected functionality
Description of change
This PR addresses a specific issue encountered when a Federated X.509 bundle is configured via the SPIRE Server command
./spire-server bundle set
. In the current behavior, while theFetchJWTBundles
operation correctly includes the Federated trust domain within the bundles' map, it fails to account for scenarios where the associated JWT bundle is empty. This oversight leads to the inclusion of empty JWT bundle values in the response map. Such occurrences can cause errors in clients consuming the Workload API, as they might not be equipped to handle empty JWT bundle entries properly.Proposed Change:
To mitigate this issue this PR introduces a validation step that ensures a JWT bundle is not empty before its inclusion in the response map.
Update:
To effectively address the identified issue, we've chosen to include a JSON object with an empty array
{"keys": []}
in the JwtBundles response for any federated trust domain that lacks an associated JWT bundle. This solution not only resolves the problem of handling empty JWT bundles but also maintains the response's debuggability.It has been tested that this response can be handled correctly by Go, Java, Rust, and Python client libraries.
Which issue this PR fixes