kbs: token: add verifier with JSON Web Keys #458
Conversation
mythi
force-pushed
the
openid-token-verifier
branch
from
d19c338
to
c719019
Compare
|
Can you add a meaningfull description? Thanks. |
|
@Xynnn007 a bit offtopic but is there a reason why
|
mythi
force-pushed
the
openid-token-verifier
branch
2 times, most recently
from
4c7b9bb
to
52f2f06
Compare
mythi
changed the title
done |
I did not remember the concrete reason for it is a long time ago -- but I think it makes sense to use a common crate for the same functions. |
I was also wondering if it let us to drop |
mythi
force-pushed
the
openid-token-verifier
branch
from
52f2f06
to
13f51b3
Compare
For some verifier like IBMSE, |
OK. I was mainly referring to the CoCo tokenverifier code. |
|
@jialez0 PTAL |
mythi
force-pushed
the
openid-token-verifier
branch
from
13f51b3
to
1623b3b
Compare
|
rebased + force pushed. however, this change is relatively independent and does not add any new dependencies. are there any concerns or reasons to wait with this? |
kbs/src/token/jwk.rs
Outdated
| } | ||
|
|
||
| pub async fn get_jwks_from_file_or_url(p: &str) -> Result<jwk::JwkSet, JwksGetError> { | ||
| match Url::parse(p) { |
There was a problem hiding this comment.
Why not first
let url = Url::parse(p).map_err(...)?;
// then
match url {
...
}There was a problem hiding this comment.
the current match combines all checks under it. It is an error also when some insecure scheme is used.
There was a problem hiding this comment.
Ok. A first impression is
// failed to parse
let url = Url::parse(p).map_err(...)?;
if url.scheme() == "https" {
...
}
if url.scheme() == "file" && Path::new(url.path()).exists() {
...
}
...There was a problem hiding this comment.
I can move the error check arm to be the first one?
There was a problem hiding this comment.
I second Ding's original suggestion here. I would just get the error check out of the way in the beginning rather than adding another set of brackets. This will also allow you to return a more specific error.
I think it tends to be more readable to use match statements more like switch statements and to avoid chaining them together unless it really fits the fundamental logic of the function.
There was a problem hiding this comment.
I just updated this part too, thanks for the feedback!
what's the other one? |
|
@mythi it is #458 (comment) |
mythi
force-pushed
the
openid-token-verifier
branch
from
1623b3b
to
91f239a
Compare
thanks, it's easy to miss comments in resolved conversations. |
kbs/src/token/jwk.rs
Outdated
| } | ||
|
|
||
| pub async fn get_jwks_from_file_or_url(p: &str) -> Result<jwk::JwkSet, JwksGetError> { | ||
| match Url::parse(p) { |
There was a problem hiding this comment.
I second Ding's original suggestion here. I would just get the error check out of the way in the beginning rather than adding another set of brackets. This will also allow you to return a more specific error.
I think it tends to be more readable to use match statements more like switch statements and to avoid chaining them together unless it really fits the fundamental logic of the function.
kbs/src/token/jwk.rs
Outdated
| _ => Some(keyset), | ||
| } | ||
| } | ||
| None => None, |
There was a problem hiding this comment.
I wouldn't use a match here since there is really no logic in this case. You can just use map instead.
There was a problem hiding this comment.
Agreed. With the type change of trusted_certs_paths, we can simply write as
pub async fn new(config: AttestationTokenVerifierConfig) -> Result<Self> {
let keys = stream::iter(config.trusted_certs_paths)
.filter_map(|p| async move {
match get_jwks_from_file_or_url(&p).await {
Ok(jwkset) => Some(jwkset.keys),
Err(e) => {
warn!("error getting JWKS: {e:?}");
None
}
}
})
.concat()
.await;
Ok(Self { trusted_certs: jwk::JwkSet { keys } })
}where futures_util crate is needed.
There was a problem hiding this comment.
Right, I guess I blindly followed the CoCo approach so it ended up looking the same
There was a problem hiding this comment.
where
futures_utilcrate is needed.
the proposal looks nice but I wonder if this is justified for the functionality here?
There was a problem hiding this comment.
What the stream::iter does, is try to do get_jwks_from_file_or_url concurrently rather than serially if multiple paths in trusted_certs_paths are given. This makes sense to me. wdyt?
There was a problem hiding this comment.
My use-case is with one URL only but I understand we may have several trusted_certs_path in the future where parallelism might help to improve the KBS startup time.
kbs/src/token/jwk.rs
Outdated
| _ => Some(keyset), | ||
| } | ||
| } | ||
| None => None, |
There was a problem hiding this comment.
Agreed. With the type change of trusted_certs_paths, we can simply write as
pub async fn new(config: AttestationTokenVerifierConfig) -> Result<Self> {
let keys = stream::iter(config.trusted_certs_paths)
.filter_map(|p| async move {
match get_jwks_from_file_or_url(&p).await {
Ok(jwkset) => Some(jwkset.keys),
Err(e) => {
warn!("error getting JWKS: {e:?}");
None
}
}
})
.concat()
.await;
Ok(Self { trusted_certs: jwk::JwkSet { keys } })
}where futures_util crate is needed.
mythi
force-pushed
the
openid-token-verifier
branch
2 times, most recently
from
8e051d9
to
a96ff5f
Compare
This is useful if any token verifier needs initialization data pulled remotely. Signed-off-by: Mikko Ylinen <[email protected]>
mythi
force-pushed
the
openid-token-verifier
branch
from
a96ff5f
to
03691a3
Compare
mythi
force-pushed
the
openid-token-verifier
branch
2 times, most recently
from
4c917b1
to
8d81645
Compare
|
Let's merge this if you are happy with it @Xynnn007 |
Add a new token verifier that uses JSON Web Keys (JWK) from the configured JWK Set sources. JWK Sets can be provided locally using file:// URL schema or they can be downloaded automatically via OpenID Connect configuration URLs providing a pointer via "jwks_uri". Signed-off-by: Mikko Ylinen <[email protected]>
mythi
force-pushed
the
openid-token-verifier
branch
from
8d81645
to
ce55948
Compare
Add a new token verifier that uses JSON Web Keys (JWK) from
the configured JWK Set sources.
JWK Sets can be provided locally using file:// URL schema
or they can be downloaded automatically via OpenID Connect configuration
https:// URLs providing a pointer via "jwks_uri".