feat(jans-cedarling): improve error handling for JWKS responses #9982

rmarinn · 2024-10-30T08:14:54Z

NOTE: this merge is dependent on #9999

Prepare

Read PR guidelines
Read license information

Description

This PR enhances the error handling mechanism when fetching from a remote JWKS so that Cedarling does not halt initialization when encountering a key with an unsupported algorithm. This improvement will allow for smoother operation and better handling of dynamic key sets.

Target issue

target issue: #9966

closes #9966

Implementation Details

added logic to skip over JWKs that use unsupported algorithms without breaking the initialization process
updated error handling to avoid stopping service initialization when encountering unknown algorithm variants in JWKs

Test and Document the changes

Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

I confirm that there is no impact on the docs due to the code changes in this PR.

dryrunsecurity · 2024-10-30T08:15:26Z

DryRun Security Summary

The pull request focuses on improving the security and reliability of the JWT (JSON Web Token) handling and validation functionality in the cedarling project, with changes spanning multiple files and addressing various aspects of JWT processing, including decoding, validation, error handling, and key management.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and reliability of the JWT (JSON Web Token) handling and validation functionality in the cedarling project. The changes span multiple files and address various aspects of JWT processing, including decoding, validation, error handling, and key management.

The key security-related improvements include:

Conditional inclusion of the "exp" (expiration) claim in the list of required claims, allowing the application to optionally skip the validation of the expiration claim.
Explicit handling of unsupported algorithms, ensuring that the application only processes tokens signed with approved algorithms.
Comprehensive error handling and reporting, with the introduction of new error types to provide detailed information about various failure scenarios.
Secure key management, including the use of thread-safe and shared-ownership wrappers for the cryptographic keys used in the JWT decoding process.
Robust validation of JWT claims, such as "iss", "aud", "sub", "nbf", and "exp", to ensure the integrity and authenticity of the tokens.
Graceful handling of missing or unsupported keys in the JWKS (JSON Web Key Set) returned by the trusted issuer.

Overall, the changes in this pull request demonstrate a security-conscious approach to the implementation of JWT-based authentication and authorization in the cedarling project, with a focus on mitigating potential security vulnerabilities and maintaining the reliability and robustness of the system.

Files Changed:

jans-cedarling/cedarling/src/jwt/decoding_strategy.rs: Improvements to the JWT decoding and validation logic, including the conditional inclusion of the "exp" claim and the handling of unsupported algorithms.
jans-cedarling/cedarling/src/jwt/decoding_strategy/error.rs: Introduction of a new JwtDecodingError enum to handle various error cases that can occur during JWT decoding and validation.
jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs: Demonstration of JWT validation and policy-based authorization using the Cedarling library.
jans-cedarling/cedarling/src/init/service_config.rs: Changes to the HTTP client implementation and the handling of trusted issuers and OpenID configurations.
jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service/openid_config.rs: Improvements to the thread-safe and shared-ownership handling of the cryptographic keys used for JWT decoding.
jans-cedarling/cedarling/src/jwt/jwt_service_config.rs: Refactoring of the JWT service configuration to use an abstraction for the HTTP client.
jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service.rs: Implementation of a KeyService for retrieving and caching the cryptographic keys used for JWT decoding.
jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service/error.rs: Enhancements to the KeyServiceError enum to handle various error conditions related to key management.
jans-cedarling/cedarling/src/jwt/mod.rs: Improvements to the JWT validation logic, including more comprehensive checks on the access_token, id_token, and userinfo_token.
jans-cedarling/cedarling/src/jwt/test/with_validation/: Addition of various test cases to ensure the proper handling of different JWT-related error scenarios.

Code Analysis

We ran 9 analyzers against 17 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

abaghinyan

Some suggestions for improvement

jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service.rs

jans-cedarling/cedarling/src/jwt/test/can_support_dynamic_jwks.rs

jans-cedarling/cedarling/src/jwt/test/can_decode_claims_with_validation.rs

jans-cedarling/cedarling/src/jwt/test/utils.rs

feat(jans-cedarling): add graceful error handling for unsupported algorithms in JWKs - added logic to skip over JWKs that use unsupported algorithms without breaking the initialization process - updated error handling to avoid stopping service initialization when encountering unknown algorithm variants in JWKs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): extract repeated code into a method for better code reusability Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): fix misspellings Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> fix(jans-cedarling): add error handling to update_jwks_for_iss Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): improve test assertions and messages Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): improve panic message in test utils Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> test(jans-cedarling): Make generate_token_using_claims return a Result - Make gernerate_token_using_claims return a Result instead of panicking for improved error management in tests. Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> feat(jans-cedarling): add retry mechanism for KeyService HTTP requests Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): add missing license header Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): resolve clippy issues Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> chore(jans-cedarling): update example for authorize_with_jwt_validation.rs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com> refactor(jans-cedarling): remove `exp` and `nbf` requirement for userinfo_token Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

nynymike · 2024-11-04T17:39:24Z

jans-cedarling/cedarling/examples/tokens.example.json

@@ -0,0 +1,5 @@
+{


Why am I still seeing raw binary tokens?

that's the example file to show how the user can use their own tokens from the test server. please see authorize_with_validation.rs for the instructions.

djellemah

Looks fine to me.

jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service.rs

jans-cedarling/cedarling/src/jwt/test/with_validation/key_service.rs

jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service.rs

…orithms in JWKs - added logic to skip over JWKs that use unsupported algorithms without breaking the initialization process - updated error handling to avoid stopping service initialization when encountering unknown algorithm variants in JWKs Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>

…ter code reusability Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>