Support for mutil-value audience claims in JWT token#13490
Support for mutil-value audience claims in JWT token#13490kokosing merged 3 commits intotrinodb:masterfrom
Conversation
|
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: rstyp.
|
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
lukasz-walkiewicz
left a comment
lukasz-walkiewicz
left a comment
There was a problem hiding this comment.
Looks like a good start but we need to add tests for this change.
Please take a look at io.trino.server.security.TestResourceSecurity. There are a few test for JWT authentication.
There was a problem hiding this comment.
Typically we use Optional for values that can have null.
There was a problem hiding this comment.
@lukasz-walkiewicz changed it to Optional
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
@rstyp Please sign CLA. See instructions from cla-bot. |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
@lukasz-walkiewicz CLA is signed now. |
lukasz-walkiewicz
left a comment
lukasz-walkiewicz
left a comment
There was a problem hiding this comment.
Sorry for the delay @rstyp. Looks good, just a couple of minor comments.
|
|
||
| private void validateAudience(Claims claims) | ||
| { | ||
| Object tokenAudience = claims.get(AUDIENCE); |
There was a problem hiding this comment.
change order, if requiredAudience is empty then getting audience from claims is redundant
| } | ||
|
|
||
| @Test | ||
| public void testJwtAuthenticatorWithInvalidAudience() |
There was a problem hiding this comment.
I think we're missing a test with empty audience and without http-server.authentication.jwt.required-audience specified.
|
Thank you @lukasz-walkiewicz |
|
CI hit: #12818 |
|
CI hit: #13288 |
|
Merged, thanks |
3 participants
Description
requiredAudiencevalidation fails ifaudclaim contains multiple audiences in JWT token.jwtParser.requireAudience(config.getRequiredAudience());to not to validateaudduringparseClaimsJws.validateAudiencemethod and call it fromcreateIdentitya fix
JWT Authentication
Support for mutil-value audience claims in JWT token
Related issues, pull requests, and links
#13442
Documentation
( *) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
( ) No release notes entries required.
( ) Release notes entries required with the following suggested text: