Skip to content

feat(notary): add JWT-based authorization mode #817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yuroitaki merged 9 commits into from
May 28, 2025
Merged

feat(notary): add JWT-based authorization mode #817

yuroitaki merged 9 commits into from
May 28, 2025

Conversation

@kubkon
Copy link
Contributor

@kubkon kubkon commented Apr 29, 2025
edited
Loading

Closes #812

This PR implements the proposal issue for JSON Web Token based authorization in the notary server. I tried my best to keep the addition of JWT validation mechanism the least invasive and thus the extraction logic is handled in existing AuthorizationMiddleware struct where we guide the extractor which header and token/API key to look for based on the server's config.

Server's config is now expecting an enum

enum AuthorizationModeProperties {
    Jwt(JwtAuthorizationProperties),
    Whitelist(String),
}

This way, only one mode is possible and this is enforced at config parsing level.

I have also added an integration test which mirrors that for the whitelist authorization but where we use JWT token for authorization.

Finally, I've updated the README and openapi spec to reflect the proposed changes.

Lemme know what you think! Hopefully this PR will make reading and deciding on the proposal in #812 a little easier since it outlines the number of required changes to make it a reality.

cc @yuroitaki

@kubkon kubkon mentioned this pull request May 1, 2025
Closed
@kubkon kubkon force-pushed the kubkon/jwt-auth branch from bde64bd to 41bfbfb Compare May 16, 2025 19:51
@kubkon kubkon marked this pull request as draft May 16, 2025 19:51
@kubkon kubkon force-pushed the kubkon/jwt-auth branch from 6f20b76 to af19987 Compare May 19, 2025 05:08
@kubkon kubkon marked this pull request as ready for review May 19, 2025 05:09
@kubkon kubkon force-pushed the kubkon/jwt-auth branch from af19987 to 62a2c44 Compare May 20, 2025 04:46
@yuroitaki yuroitaki self-requested a review May 20, 2025 16:09
yuroitaki
yuroitaki requested changes May 22, 2025
View reviewed changes
Copy link
Collaborator

@yuroitaki yuroitaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff! Got some comments (some are only nits and cosmetics though).

Jakub Konka added 3 commits May 23, 2025 12:38
feat(server): add JWT-based authorization mode
6083fa7 
This mode is an alternative to whitelist authorization mode.
It extracts the JWT from the authorization header (bearer token),
validates token's signature, claimed expiry times and additional
(user-configurable) claims.
Fix formatting and lints
593d130
Address review comments
1c82ff8
@kubkon kubkon force-pushed the kubkon/jwt-auth branch from c480114 to 1c82ff8 Compare May 23, 2025 10:41
@kubkon kubkon requested a review from yuroitaki May 23, 2025 11:11
@kubkon kubkon mentioned this pull request May 23, 2025
Closed
yuroitaki
yuroitaki requested changes May 26, 2025
View reviewed changes
Copy link
Collaborator

@yuroitaki yuroitaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes~ few more comments

@kubkon kubkon requested a review from yuroitaki May 26, 2025 21:28
yuroitaki
yuroitaki requested changes May 27, 2025
View reviewed changes
Copy link
Collaborator

@yuroitaki yuroitaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there! Mainly comments on logging 🙏

@kubkon kubkon requested a review from yuroitaki May 27, 2025 08:45
@yuroitaki yuroitaki changed the title feat(server): add JWT-based authorization mode feat(notary): add JWT-based authorization mode May 28, 2025
yuroitaki
yuroitaki approved these changes May 28, 2025
View reviewed changes
Copy link
Collaborator

@yuroitaki yuroitaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much again for the contribution! @kubkon

@yuroitaki yuroitaki merged commit b6845df into tlsnotary:dev May 28, 2025
14 checks passed
@kubkon
Copy link
Contributor Author

kubkon commented May 28, 2025

Thanks so much again for the contribution! @kubkon

It was my pleasure!

@kubkon kubkon deleted the kubkon/jwt-auth branch May 28, 2025 05:10
@kubkon kubkon mentioned this pull request Jun 4, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuroitaki yuroitaki yuroitaki approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kubkon @yuroitaki