Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add generic JWT auth #20928

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

feat: Add generic JWT auth #20928

wants to merge 25 commits into from
+428 −3

Conversation

wrmedford
Copy link

@wrmedford wrmedford commented Nov 25, 2024
edited
Loading

Closes #14250

This allows for generic JWTs to be used for authentication that are minted outside of Argo. Argo currently mints its own JWTs for auth outside of Dex, and this extends its capabilities to utilize JWTs that originate from Identity Aware Proxies.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Nov 25, 2024
edited
Loading

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔵 /bns:start to start the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@wrmedford
(fix) deps bump.
8106163 
Signed-off-by: Wes Medford <[email protected]>
@wrmedford
(chore) lint fix.
0180e81 
Signed-off-by: Wes Medford <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Nov 25, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 40.49587% with 72 lines in your changes missing coverage. Please review.

Project coverage is 53.25%. Comparing base (8126508) to head (989a45d).

Files with missing lines Patch % Lines
util/oidc/provider.go 48.93% 32 Missing and 16 partials ⚠️
util/session/sessionmanager.go 5.88% 13 Missing and 3 partials ⚠️
util/settings/settings.go 20.00% 7 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #20928      +/-   ##
==========================================
- Coverage   55.19%   53.25%   -1.95%     
==========================================
  Files         337      337              
  Lines       57058    57177     +119     
==========================================
- Hits        31496    30451    -1045     
- Misses      22863    24049    +1186     
+ Partials     2699     2677      -22

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@wrmedford wrmedford marked this pull request as ready for review November 25, 2024 15:12
@wrmedford wrmedford requested a review from a team as a code owner November 25, 2024 15:12
@ChristianCiach
Copy link
Contributor

ChristianCiach commented Nov 29, 2024
edited
Loading

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

@wrmedford
Copy link
Author

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

Good call, and completely agree. Will add that as a config option.

@wrmedford
Copy link
Author

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

Added!

@wrmedford wrmedford requested a review from a team as a code owner December 21, 2024 18:55
jsoref
jsoref reviewed Dec 27, 2024
View reviewed changes
docs/operator-manual/user-management/index.md Show resolved Hide resolved
util/oidc/provider.go Outdated Show resolved Hide resolved
util/oidc/provider.go Show resolved Hide resolved
util/oidc/provider.go Outdated Show resolved Hide resolved
wrmedford and others added 3 commits December 27, 2024 11:31
@wrmedford @jsoref
Log cacheTTL
47329f5 
Co-authored-by: Josh Soref <[email protected]>
Signed-off-by: Wes <[email protected]>
@wrmedford @jsoref
Whitespace
e0dfd48 
Co-authored-by: Josh Soref <[email protected]>
Signed-off-by: Wes <[email protected]>
@wrmedford
(lint) remove whitespace due to fmt complaining
ac97c7c 
Signed-off-by: Wes Medford <[email protected]>
@wrmedford wrmedford mentioned this pull request Dec 30, 2024
Open
andrii-korotkov-verkada
andrii-korotkov-verkada reviewed Jan 1, 2025
View reviewed changes
util/oidc/provider.go

gooidc "github.com/coreos/go-oidc/v3/oidc"
"github.com/golang-jwt/jwt/v4"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use jwt v5.

util/oidc/provider.go
p.jwksExpiry = time.Now().Add(cacheTTL)

return &jwks, nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit hesitant of having our own implementation of verification. Is it possible to use some libraries for that? E.g. would this https://pkg.go.dev/gopkg.in/square/go-jose.v2/jwt#Claims.Validate be useful?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea that's fair. I'll swap that out.

util/session/sessionmanager.go
return token.Claims, "", nil
}
// If JWT verification fails, continue with other methods
log.Debugf("JWT verification failed, trying other methods: %v", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we continue with other methods instead of failing?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Argo signs its own JWT, so this is for native auth (e.g. admin login for breakglass) we wouldn't want to block that auth just because JWT auth is configured.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrii-korotkov-verkada andrii-korotkov-verkada andrii-korotkov-verkada left review comments

@jsoref jsoref jsoref left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configure ArgoCD to accept a JWT token provided in the HTTP header
4 participants
@wrmedford @ChristianCiach @jsoref @andrii-korotkov-verkada