Skip to content

feat(jans-cedarling): enhance JWT validation config #10142

New issue
New issue
Closed
#10306
Closed
feat(jans-cedarling): enhance JWT validation config#10142
#10306
Assignees
rmarinn
Labels
comp-jans-cedarlingTouching folder /jans-cedarlingenhancementkind-featureIssue or PR is a new feature request
Milestone
1.2.0
@rmarinn

Description

@rmarinn
rmarinn
opened on Nov 14, 2024

Is your feature request related to a problem? Please describe.

To increase flexibility in JWT validation, additional bootstrap properties need to be implemented as described in the updated wiki. This will provide more granular control over how tokens are validated in the Cedarling application.

Describe the solution you'd like

Currently, the BootstrapConfig struct includes a JwtConfig enum:

/// Bootstrap configuration for Cedarling
pub struct BootstrapConfig {
    pub application_name: String,
    pub log_config: LogConfig,
    pub policy_store_config: PolicyStoreConfig,
    pub jwt_config: JwtConfig,
}

/// A set of properties used to configure JWT validation behavior
#[derive(Debug, Clone)]
pub enum JwtConfig {
    Disabled,
    Enabled {
        signature_algorithms: Vec<String>,
    },
}

We can extend the JwtConfig struct with additional fields to represent new bootstrap properties for token validation:

  • CEDARLING_AT_ISS_VALIDATION : When enabled, the iss claim must be present in access token and the scheme must be https.
  • CEDARLING_AT_JTI_VALIDATION : When enabled, the jti claim must be present in access token.
  • CEDARLING_AT_NBF_VALIDATION: When enabled, the nbf claim must be present in access token and the Cedarling should verify that the current date is after the nbf.
  • CEDARLING_AT_EXP_VALIDATION: When enabled, the exp claim must be present and not past the date specified.
  • CEDARLING_IDT_ISS_VALIDATION: When enabled, the iss claim must be present in id_token and the scheme must be https.
  • CEDARLING_IDT_SUB_VALIDATION: When enabled, the sub claim must be present in id_token.
  • CEDARLING_IDT_EXP_VALIDATION: When enabled, the exp claim must be present and not past the date specified.
  • CEDARLING_IDT_IAT_VALIDATION: When enabled, the iat claim must be present in id_token.
  • CEDARLING_IDT_AUD_VALIDATION: When enabled, the aud claim must be present in id_token.
  • CEDARLING_USERINFO_ISS_VALIDATION: When enabled, the iss claim must be present and the scheme must be https.
  • CEDARLING_USERINFO_SUB_VALIDATION: When enabled, the sub claim must be present in Userinfo JWT.
  • CEDARLING_USERINFO_AUD_VALIDATION: When enabled, the aud claim must be present in Userinfo JWT.
  • CEDARLING_USERINFO_EXP_VALIDATION: When enabled, the exp claim must be present and not past the date specified.
  • CEDARLING_ID_TOKEN_TRUST_MODE: Strict | None. Varying levels of validations based on the preference of the developer. Strict mode requires (1) id_token's aud matches the access_token's client_id; (2) if a Userinfo token is present, the sub matches the id_token, and that the aud matches the access token client_id.

Metadata

Metadata

Assignees

Labels

comp-jans-cedarlingTouching folder /jans-cedarlingenhancementkind-featureIssue or PR is a new feature request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions