[Feature] External JWT Validation Auth#9
Conversation
There was a problem hiding this comment.
@tern-dvjn-bot added some review comments.
Also, can you also add conformance test for this auth method as well in github actions?
JWT conformance test requires setting up a JWKS endpoint and generating test tokens. Would you prefer to:
- Use a real OIDC provider (like Auth0) with test credentials?
- Set up a mock JWKS server in the workflow?
- Skip for now and add later?
internal/auth/auth.go
Outdated
| case config.AuthModeHtpasswd: | ||
| return htpasswd.NewHtpasswdAuth(&c.Htpasswd, logger) | ||
| case config.AuthModeJWT: | ||
| return jwt.NewJWTAuth(c.JWT.JWKSURL, c.JWT.Issuer, c.JWT.Audience, c.JWT.CacheTTL, logger) |
There was a problem hiding this comment.
can we pass the whole jet config object directly?
There was a problem hiding this comment.
Done - now passing &c.JWT (whole JWT config object) in auth.go
internal/auth/jwt/validator.go
Outdated
| provider *JWKSProvider | ||
| issuer string | ||
| audience string | ||
| verifier *oidc.IDTokenVerifier |
There was a problem hiding this comment.
do we need the whole oidc verifier or just a jwt token verifier?
There was a problem hiding this comment.
Done - replaced go-oidc with keyfunc/v3 + golang-jwt/jwt/v5 for pure JWKS verification. This allows direct JWKS URLs without requiring OIDC discovery.
internal/auth/jwt/validator.go
Outdated
| ClientID: audience, | ||
| SkipClientIDCheck: false, | ||
| SkipIssuerCheck: false, | ||
| SkipExpiryCheck: false, |
There was a problem hiding this comment.
if this already checks the issuer, expiry, client id, etc. Do we need to do it again in the validate function?
There was a problem hiding this comment.
The JWT validator library handles signature verification. The additional issuer & audience checks are still needed to validate these claims match the configuration.
internal/auth/jwt/jwt.go
Outdated
| @@ -0,0 +1,5 @@ | |||
| package jwt | |||
There was a problem hiding this comment.
if not used, you can remove this file
There was a problem hiding this comment.
Done - jwt.go was already removed in a previous commit.
- Pass whole JWTConfig instead of individual fields to NewJWTAuth - Simplify JWT validation by removing duplicate claim checks (OIDC verifier handles them) - Remove unused jwt.go file Resolves dvjn#9 review comments. Assisted-by: GLM 4.7
- Replace go-oidc with keyfunc/v3 + golang-jwt/jwt/v5 for JWKS verification - This allows direct JWKS URLs without requiring OIDC discovery - Keep subject claim extraction for username retrieval - Remove go-oidc dependency Assisted-by: GLM 4.7
- Added Node.js scripts for generating test RSA keys and JWKS - Added simple HTTP server to serve JWKS JSON endpoint - Workflow update requires manual merge or workflow scope access Assisted-by: GLM 4.7
- Added cmd/gen-test-jwt tool to generate test RSA keys, JWKS, and JWT - Removed Node.js scripts and package.json - Removed accidentally committed sorcerer binary Workflow update (requires workflow scope): - Updated conformance workflow to use Go tool + Python http.server - JWKS served at /.well-known/jwks.json using Python's built-in server Assisted-by: GLM 4.7
- Added cmd/jwks-server - minimal HTTP server for serving JWKS - Serves /.well-known/jwks.json endpoint (standard OIDC path) - Includes /health endpoint for health checks - Replaces Python http.server with pure Go solution - Usage: go build ./cmd/jwks-server && ./jwks-server Assisted-by: GLM 4.7
2 participants
Implements external JWT validation authentication as specified in GitHub issue #6.
Summary
Adds support for validating JWT tokens issued by external authentication services (e.g., Authelia, Keycloak, GitHub Actions OIDC, GitLab OIDC).
Changes
JWTConfigwithjwks_url,issuer,audience, andcache_ttlfieldsjwtmodeConfiguration
SORCERER_AUTH__MODE=jwt SORCERER_AUTH__JWT__JWKS_URL=https://auth.example.com/.well-known/jwks.json SORCERER_AUTH__JWT__ISSUER=https://auth.example.com SORCERER_AUTH__JWT__AUDIENCE=sorcerer-registry SORCERER_AUTH__JWT__CACHE_TTL=300 # optionalSecurity
Related Issue
Resolves #6