Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: validate 'jti' claims in AccessTokenVerifier #481

Merged
merged 4 commits into from
Oct 22, 2024
Merged

feat: validate 'jti' claims in AccessTokenVerifier #481

merged 4 commits into from
Oct 22, 2024

Conversation

paullatzelsperger
Copy link
Member

@paullatzelsperger paullatzelsperger commented Oct 21, 2024
edited
Loading

What this PR changes/adds

add validation for the JWT Token IDs (jti claim) when verifying Access tokens.

to do that, the JtiValidationRule has been registered for the "dcp-access-token" validation context.

Note that by default this check is deactivated to avoid unexpected breakages in existing applications.

set edc.iam.accesstoken.jti.validation=true to enable it.

Why it does that

protection against replay attacks

Linked Issue(s)

Closes eclipse-edc/Connector#3749

DEPENDS ON eclipse-edc/Connector#4560

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added enhancement New feature or request dcp labels Oct 21, 2024
@paullatzelsperger paullatzelsperger marked this pull request as draft October 21, 2024 13:41
@paullatzelsperger paullatzelsperger marked this pull request as ready for review October 21, 2024 14:14
ndr-brt
ndr-brt approved these changes Oct 22, 2024
View reviewed changes
core/identity-hub-core/src/main/java/org/eclipse/edc/identityhub/DefaultServicesExtension.java
@@ -77,6 +85,12 @@ public void initialize(ServiceExtensionContext context) {

var scopeIsPresentRule = new ClaimIsPresentRule(ACCESS_TOKEN_SCOPE_CLAIM);
registry.addRule(DCP_ACCESS_TOKEN_CONTEXT, scopeIsPresentRule);

if (context.getSetting(ACCESSTOKEN_JTI_VALIDATION_ACTIVATE, false)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

false could be extracted as a constant and used also in the @Setting annotation

@paullatzelsperger paullatzelsperger merged commit ecc3518 into eclipse-edc:main Oct 22, 2024
14 checks passed
@paullatzelsperger paullatzelsperger deleted the feat/use_jti_validation_service branch October 22, 2024 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndr-brt ndr-brt ndr-brt approved these changes

@wolf4ood wolf4ood Awaiting requested review from wolf4ood

Assignees
No one assigned
Labels
dcp enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement infrastructure to verify jti claims
2 participants
@paullatzelsperger @ndr-brt