Skip to content

Extract client identifier from authorization token #381

New issue
New issue
Closed
Closed
Extract client identifier from authorization token#381
Assignees
msdousti
Labels
Feature
Milestone
2.1.0
@whiskeysierra

Description

@whiskeysierra
whiskeysierra
opened on Nov 5, 2018

Detailed Description

Logbook should enrich requests with the subject from the JWT token in the Authorization header, if present.

Context

Having the id as part of the requests would make it way easier to identify clients which in turn helps when:

  • identifying unauthorized access issues
  • usage analysis

Possible Implementation

  • introduce the concept of an attribute
  • attributes are simple key-value pairs (tbd type of value)
  • a request/response can have multiple attributes
  • attributes should be derived/created from requests/responses before any filtering (e.g. obfuscation)
  • built-in attribute extractor for sub from JWT token
    • detect JWT tokens: Bearer prefix + 3x base64 data separated by dots
    • remove Bearer prefix
    • split at .
    • base64 decode payload, i.e. the second element
    • parse JSON
    • read properties in order and return the first one that is present
      • https://identity.zalando.com/managed-id (Zalando employee tokens)
      • sub
    • don't hard code priorities, but rather allow to configure a list of names, defaults to ["sub"]
  • extend JsonHttpLogFormatter to include attributes (tbd, top level? nested? name clashes?)

Employee Token

{
  "sub": "3b66d47c-d886-4c63-a0b9-9ec3cad7e848",
  "https://identity.zalando.com/realm": "users",
  "https://identity.zalando.com/token": "Bearer",
  "https://identity.zalando.com/managed-id": "wschoenborn",
  "azp": "ztoken",
  "https://identity.zalando.com/bp": "810d1d00-4312-43e5-bd31-d8373fdd24c7",
  "auth_time": 1540188140,
  "iss": "https://identity.zalando.com",
  "exp": 1541411248,
  "iat": 1541407638
}

Service Token

{
  "sub": "stups_sales-order-service",
  "https://identity.zalando.com/realm": "services",
  "https://identity.zalando.com/token": "Bearer",
  "azp": "stups_sales-order-service_389e4e16-0695-45df-9afd-d9be0ffab456",
  "https://identity.zalando.com/bp": "810d1d00-4312-43e5-bd31-d8373fdd24c7",
  "iss": "https://identity.zalando.com",
  "exp": 1541411315,
  "iat": 1541407705,
  "https://identity.zalando.com/privileges": [
    "com.zalando::loyalty_point_account.read_all"
  ]
}

Links

Your Environment

  • Version used: 1.11.1

Metadata

Metadata

Assignees

Labels

Feature

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions