Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance the authentication middleware function to support external JWT #810

Open
lindseysimple opened this issue Dec 24, 2024 · 0 comments · May be fixed by #811
Open

Enhance the authentication middleware function to support external JWT #810

lindseysimple opened this issue Dec 24, 2024 · 0 comments · May be fixed by #811
Assignees
Labels
enhancement New feature or request

Comments

@lindseysimple
Copy link
Contributor

🚀 Feature Request

Relevant Package [REQUIRED]

This feature request is for EdgeX service controller functions which use the authentication middleware function in go-mod-bootstrap.

Description [REQUIRED]

Currently the authentication middleware function defined in can only verify the JWT issued by the secret provider.

// SecretStoreAuthenticationHandlerFunc prefixes an existing HandlerFunc
// with a OpenBao-based JWT authentication check. Usage:
//
// authenticationHook := handlers.NilAuthenticationHandlerFunc()
// if secret.IsSecurityEnabled() {
// lc := container.LoggingClientFrom(dic.Get)
// secretProvider := container.SecretProviderFrom(dic.Get)
// authenticationHook = handlers.SecretStoreAuthenticationHandlerFunc(secretProvider, lc)
// }
// For optionally-authenticated requests
// r.HandleFunc("path", authenticationHook(handlerFunc)).Methods(http.MethodGet)
//
// For unauthenticated requests
// r.HandleFunc("path", handlerFunc).Methods(http.MethodGet)
//
// For typical usage, it is preferred to use AutoConfigAuthenticationFunc which
// will automatically select between a real and a fake JWT validation handler.
func SecretStoreAuthenticationHandlerFunc(secretProvider interfaces.SecretProviderExt, lc logger.LoggingClient) echo.MiddlewareFunc {
return func(inner echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
r := c.Request()
w := c.Response()
authHeader := r.Header.Get("Authorization")
lc.Debugf("Authorizing incoming call to '%s' via JWT (Authorization len=%d), %v", r.URL.Path, len(authHeader), secretProvider.IsZeroTrustEnabled())
if secretProvider.IsZeroTrustEnabled() {
zitiCtx := r.Context().Value(zerotrust.OpenZitiIdentityKey{})
if zitiCtx != nil {
if zitiEdgeConn, ok := zitiCtx.(edge.Conn); ok {
lc.Debugf("Authorizing incoming connection via OpenZiti for %s", zitiEdgeConn.SourceIdentifier())
return inner(c)
}
lc.Warn("context value for OpenZitiIdentityKey is not an edge.Conn")
}
lc.Debug("zero trust was enabled, but no marker was found. this is unexpected. falling back to token-based auth")
}
authParts := strings.Split(authHeader, " ")
if len(authParts) >= 2 && strings.EqualFold(authParts[0], "Bearer") {
token := authParts[1]
validToken, err := secretProvider.IsJWTValid(token)

The need arises to authenticate users using JWTs issued by an external JWT provider.

Describe the solution you'd like

The authentication middleware function can be enhanced to utilize the POST /key and GET /key/verification/issuer/{issuer} APIs from the security-proxy-auth service to verify JWTs issued by external providers.

@lindseysimple lindseysimple added the enhancement New feature or request label Dec 24, 2024
@lindseysimple lindseysimple self-assigned this Dec 24, 2024
@github-project-automation github-project-automation bot moved this to New Issues in Technical WG Dec 24, 2024
lindseysimple added a commit to lindseysimple/go-mod-bootstrap that referenced this issue Dec 26, 2024
Resolves edgexfoundry#810. Enhance the auth middleware func to support external JWT verifcation.

Signed-off-by: Lindsey Cheng <[email protected]>
@lindseysimple lindseysimple moved this from New Issues to In Progress in Technical WG Dec 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: In Progress
Development

Successfully merging a pull request may close this issue.

1 participant