Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[18.0][IMP] auth_jwt: allow more authorization options over aud #753

Open
wants to merge 53 commits into
base: 18.0
Choose a base branch
from
Open

[18.0][IMP] auth_jwt: allow more authorization options over aud #753

wants to merge 53 commits into from

Conversation

dnplkndll
Copy link

@dnplkndll dnplkndll commented Jan 17, 2025
edited
Loading

@kobros-tech can you add some tests?

probably want to require one of the possible types too. so maybe a type selection [aud,scope,group] then the aud_text to use to parse the match value?

need to rebase after: #752 merges

image or image

sbidoul and others added 30 commits January 16, 2025 17:55
@sbidoul @dnplkndll
[ADD] auth_jwt
0fec17f
@sbidoul @dnplkndll
auth_jwt: use PyJWT instead of python-jose
9b22029 
Because it allows validating with a list of audiences.
@sbidoul @dnplkndll
auth_jwt: add signature algorithms
891cb7e
@sbidoul @dnplkndll
auth_jwt: support multiple audiences
4a52f97
@sbidoul @dnplkndll
auth_jwt: add nbf validation test
6daf4dd
@sbidoul @dnplkndll
auth_jwt: docs clarification and fixes
a378e41
@sbidoul @dnplkndll
auth_jwt: fix jwks URI support
511a69b 
Make it work with pyjwt.
@sbidoul @dnplkndll
auth_jwt: mock instead of committing in tests
529f3ee
@sbidoul @dnplkndll
auth_jwt: more precise precondition check
459b113
@sbidoul @dnplkndll
Rename auth_jwt_test to auth_jwt_demo
97f4bd9
@sbidoul @dnplkndll
[MIG] auth_jwt
1525555
@oca-travis @dnplkndll
[UPD] Update auth_jwt.pot
6113019
@OCA-git-bot @dnplkndll
[UPD] README.rst
3f15e2b
@OCA-git-bot @dnplkndll
auth_jwt 14.0.1.0.1
901fb80
@sbidoul @dnplkndll
[IMP] auth_jwt: add public_or_jwt auth method
d5f8416 
This method is useful for public endpoints that need
to work for anonymous user, but can be enhanced when
an authenticated user is know.

A typical use case is a "add to cart" enpoint that can
work for anonymous users, but can be enhanced by
binding the cart to a known customer when the authenticated
user is known.
@OCA-git-bot @dnplkndll
[UPD] README.rst
ce32935
@OCA-git-bot @dnplkndll
auth_jwt 14.0.1.1.0
2cb4c94
@yankinmax @dnplkndll
auth_jwt: Relicence under LGPL
40216e9
@OCA-git-bot @dnplkndll
auth_jwt 14.0.1.2.0
9189dd1
@paradoxxxzero @dnplkndll
[IMP] auth_jwt: Add validator.next_validator_id to allow validator ch…
67e347b 
…aining
@dnplkndll
[UPD] Update auth_jwt.pot
5941a0c
@OCA-git-bot @dnplkndll
auth_jwt 14.0.2.0.0
9df6359
@sbidoul @dnplkndll
[MIG] auth_jwt from 14 to 16
f96d4e4
@sbidoul @dnplkndll
[MIG] auth_jwt: convert unit tests to integration tests
1f5e975 
The unit tests were broken for non-functional reasons (interaction with
the mock) and is easier to implement as integration test.
@dnplkndll
[UPD] Update auth_jwt.pot
cb8319d
@OCA-git-bot @dnplkndll
[UPD] README.rst
e0c891e
@sbidoul @dnplkndll
auth_jwt: add cookie mode
6ae42fd
@sbidoul @dnplkndll
auth_jwt: clarify exceptions
f0419cb 
Distinguish errors that lead to a 401
from internal configuration errors.
@sbidoul @dnplkndll
auth_jwt: minor refactoring
e5e1125
@sbidoul @dnplkndll
[IMP] auth_jwt: refactor
b3dff91 
Extract _parse_bearer_authorization function for easier reuse by fastapi_auth_jwt
OCA-git-bot and others added 17 commits January 16, 2025 17:55
@OCA-git-bot @dnplkndll
[UPD] README.rst
f654d65
@OCA-git-bot @dnplkndll
auth_jwt 16.0.1.1.0
9f2f013
@Ivorra78 @dnplkndll
Added translation using Weblate (Spanish)
c039592
@Ivorra78 @dnplkndll
Translated using Weblate (Spanish)
b27779f 
Currently translated at 100.0% (64 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/es/
@OCA-git-bot @dnplkndll
[UPD] README.rst
028cbed
@rbellanova @dnplkndll
Added translation using Weblate (Italian)
eb59f40
@rbellanova @dnplkndll
Translated using Weblate (Italian)
acc56c2 
Currently translated at 89.0% (57 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/it/
@mymage @dnplkndll
Translated using Weblate (Italian)
42d313c 
Currently translated at 100.0% (64 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/it/
@francesco-ooops @dnplkndll
Translated using Weblate (Italian)
2cf3ea5 
Currently translated at 100.0% (64 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/it/
@MikeAelbrecht @dnplkndll
[IMP] auth_jwt: pre-commit auto fixes
1579c5a
@MikeAelbrecht @dnplkndll
[MIG] auth_jwt: Migration to 17.0
c799c09
@MikeAelbrecht @dnplkndll
[IMP] auth_jwt: pre-commit auto fixes
4061b5c
@MikeAelbrecht @dnplkndll
[IMP] auth_jwt: pre-commit auto fixes
9d453c1
@MikeAelbrecht @dnplkndll
Missing space
7f7dd09
@kobros-tech @dnplkndll
[17.0][FIX] auth_jwt: cleaning up for migration
5b14de5
@dnplkndll
[IMP] auth_jwt: pre-commit auto fixes
bc1adb2
@dnplkndll
[MIG] auth_jwt: Migration to 18.0
0068509
@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch 4 times, most recently from b3e8a9b to 538beb2 Compare January 18, 2025 01:27
@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch from 538beb2 to 5da46e0 Compare January 18, 2025 01:46
@dnplkndll
Copy link
Author

@sbidoul working aws cognito as a token provider, there are no aud. but we do have scopes and user groups. would it be useful to replace the aud with these new tests to validate a server to server account has proper scope or a user has a group? the tests are pretty sloppy ( any intersection of the sets) can refine if useful. another option might be a simple disable but really do need the scope test in our case.
The next issue is we would have tokens that have sub and map user/partner via oath provider data? I guess that can be done in partner_id_strategy extension.

server-auth/auth_oidc/models/res_users.py

Line 72 in 035093d

validation["user_id"] = validation["sub"]

@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch from 7342133 to 5da46e0 Compare January 18, 2025 13:04
@sbidoul
Copy link
Member

sbidoul commented Jan 18, 2025

I'm ok to make audience optional. May I suggest doing that in an independent PR to facilitate review?

Then adding validation on additional claim sounds ok too. I would not override the meaning of the audience field, though. How about an expected_claim field containing a literal dictionary (to be parsed with ast.literal_eval) or a json field.

@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch from fabb83e to f5e43c3 Compare January 18, 2025 14:49
@dnplkndll
Copy link
Author

optional aud only
#755

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.