Skip to content

refactor(jans-cedarling): relax JWT validation to allow optional claims #10173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 18, 2024
Merged

refactor(jans-cedarling): relax JWT validation to allow optional claims #10173

merged 2 commits into from
Nov 18, 2024

Conversation

rmarinn
Copy link
Contributor

@rmarinn rmarinn commented Nov 18, 2024

  • Make the iss claim OPTIONAL.
  • Make the aud claim OPTIONAL.
  • Make the sub claim OPTIONAL.
  • Make the exp claim OPTIONAL but validate it if it exists.
  • Make the nbf claim OPTIONAL but validate it if it exists.

Prepare

Description

This PR relaxes the JWT validation to allow optional claims.

This following implementation will probably change after #10142 gets resolved but should be helpful for testing before MVP.

Target issue

target issue: #10060

closes #10060

Implementation Details

When performing JWT validation:

  • Made the iss claim OPTIONAL.
  • Made the aud claim OPTIONAL.
  • Made the sub claim OPTIONAL.
  • Made the exp claim OPTIONAL but validate it if it exists.
  • Made the nbf claim OPTIONAL but validate it if it exists.

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@rmarinn
refactor(jans-cedarling): relax JWT validation to allow optional claims
7b93489 
- Make the `iss` claim OPTIONAL.
- Make the `aud` claim OPTIONAL.
- Make the `sub` claim OPTIONAL.
- Make the `exp` claim OPTIONAL but validate it if it exists.
- Make the `nbf` claim OPTIONAL but validate it if it exists.

Signed-off-by: rmarinn <34529290+rmarinn@users.noreply.github.com>
@rmarinn rmarinn added the comp-jans-cedarling Touching folder /jans-cedarling label Nov 18, 2024
@rmarinn rmarinn self-assigned this Nov 18, 2024
@rmarinn rmarinn linked an issue Nov 18, 2024 that may be closed by this pull request
feat(jans-cedarling): relax JwtService validation to allow optional claims #10060
Closed
5 tasks
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 18, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the security of the JWT (JSON Web Token) validation process in the cedarling application by adding comprehensive negative test cases and simplifying the validation logic, but also removing cross-validation between different tokens, which could potentially introduce new security risks.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security of the JWT (JSON Web Token) validation process in the cedarling application. The changes primarily involve adding negative test cases to cover various scenarios where the JWT tokens (id_token, access_token, and userinfo_token) are invalid or expired.

The key security-related changes include:

  1. Comprehensive Token Validation Tests: The new test cases cover scenarios such as invalid signatures, expired tokens, and tokens used before the nbf (Not Before) timestamp. This helps ensure that the JWT service correctly identifies and rejects these types of invalid tokens, reducing the risk of security vulnerabilities.

  2. Simplified Validation Logic: The changes in the decoding_strategy.rs file simplify the validation rules by removing the validation for iss, aud, and sub claims. While this may improve performance, it also reduces the overall validation, which could potentially make the application more susceptible to certain types of attacks, such as token replay or tampering.

  3. Removal of Cross-Validation: The previous version of the code performed cross-validation between the different tokens (access_token, id_token, and userinfo_token) to ensure that the iss and aud claims matched. This type of cross-validation helps prevent token substitution attacks, and its removal may introduce new security risks that should be carefully considered.

Overall, the changes in this pull request focus on strengthening the security of the JWT validation process, but they also introduce some potential trade-offs that should be reviewed and addressed to maintain the application's overall security posture.

Files Changed:

  1. jans-cedarling/cedarling/src/jwt/test/with_validation/id_token.rs: Adds negative test cases for id_token validation, including invalid signature, expired tokens, and tokens used before nbf.
  2. jans-cedarling/cedarling/src/jwt/test/with_validation/access_token.rs: Adds negative test cases for access_token validation, including invalid signature, expired tokens, and tokens used before nbf.
  3. jans-cedarling/cedarling/src/jwt/decoding_strategy.rs: Simplifies the validation rules by removing the validation for iss, aud, and sub claims.
  4. jans-cedarling/cedarling/src/jwt/mod.rs: Updates the JwtService module, removing the DecodingArgs struct and simplifying the validation logic.
  5. jans-cedarling/cedarling/src/jwt/test/with_validation/userinfo_token.rs: Adds negative test cases for userinfo_token validation, including invalid signature, expired tokens, and tokens used before nbf.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

olehbozhok
olehbozhok approved these changes Nov 18, 2024
View reviewed changes
Copy link
Contributor

@olehbozhok olehbozhok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code style looks OK to me.

Is these changes are related to cedarling validation config inputs in the Bootstrap properties ?

duttarnab
duttarnab approved these changes Nov 18, 2024
View reviewed changes
jans-cedarling/cedarling/src/jwt/decoding_strategy.rs
// `exp` by default.
validator.required_spec_claims.clear();
// `aud` should be optional.
validator.validate_aud = false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these flags will decide if the claims are optional or mandatory. Are we setting the default value here?
And user can reset these values in the bootstrap configuration.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is just a quick fix, so we can test tokens for MVP since i still haven't finished #10142.

@mo-auto mo-auto added the kind-enhancement Issue or PR is an enhancement to an existing functionality label Nov 18, 2024
@rmarinn
Copy link
Contributor Author

rmarinn commented Nov 18, 2024
edited
Loading

Is these changes are related to cedarling validation config inputs in the Bootstrap properties ?

The new bootstrop properties are not implemented yet, i just removed the overly-strict restrictions for now in case we wan't to test for MVP.

@rmarinn rmarinn enabled auto-merge (squash) November 18, 2024 19:57
@rmarinn rmarinn merged commit caa8208 into main Nov 18, 2024
1 check passed
@rmarinn rmarinn deleted the jans-cedarling-10060 branch November 18, 2024 19:57
djellemah
djellemah reviewed Nov 18, 2024
View reviewed changes
Copy link
Contributor

@djellemah djellemah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ok to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olehbozhok olehbozhok olehbozhok approved these changes

@duttarnab duttarnab duttarnab approved these changes

+1 more reviewer

@djellemah djellemah djellemah left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@rmarinn rmarinn

Labels
comp-jans-cedarling Touching folder /jans-cedarling kind-enhancement Issue or PR is an enhancement to an existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(jans-cedarling): relax JwtService validation to allow optional claims
5 participants
@rmarinn @djellemah @olehbozhok @duttarnab @mo-auto