Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authn: Support access token wildcard namespace #87816

Merged
merged 8 commits into from
May 16, 2024
Merged

Authn: Support access token wildcard namespace #87816

merged 8 commits into from
May 16, 2024

Conversation

kalleep
Copy link
Contributor

@kalleep kalleep commented May 14, 2024
edited

What is this feature?
When working on documentation for grafana instance authentication using access tokens I noticed that we disallow wildcard namespace *. The point of that special namespace is to allow it for all instances.

So this pr changes that behavior only for access token. When authenticating using on behalf of a user (OBO) we still require that id token is signed with the correct namespace.

I also did some additional cleanups:

  1. Validating subjects after we have parsed namespaceID instead of checking string prefixes.
  2. Remove unused dependencies (user service and signing keys service)

Which issue(s) does this PR fix?:
Fixes https://github.com/grafana/identity-access-team/issues/691

Special notes for your reviewer:

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

@kalleep kalleep added no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes labels May 14, 2024
@kalleep kalleep added this to the 11.1.x milestone May 14, 2024
@kalleep kalleep requested a review from a team as a code owner May 14, 2024 13:44
@kalleep kalleep changed the title Authn: Support access token namespace wildcard Authn: Support access token wildcard namespace May 15, 2024
@kalleep kalleep requested a review from gamab May 15, 2024 14:47
gamab
gamab approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@gamab gamab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

pkg/services/authn/clients/ext_jwt.go Show resolved Hide resolved
pkg/services/authn/clients/ext_jwt.go Outdated Show resolved Hide resolved
pkg/services/authn/clients/ext_jwt.go Outdated Show resolved Hide resolved
pkg/services/authn/clients/ext_jwt.go Show resolved Hide resolved
@kalleep kalleep merged commit 5c27f22 into main May 16, 2024
12 checks passed
@kalleep kalleep deleted the authn/ext-jwt-namespace branch May 16, 2024 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gamab gamab gamab approved these changes

Assignees
No one assigned
Labels
area/backend no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes
Projects
None yet
Milestone
11.1.x
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kalleep @gamab