Auth: support AWS ALB JWT #45191
Auth: support AWS ALB JWT #45191
Conversation
mtanda
requested review from
sdboyer,
zserge,
dsotirakis and
sakjur
and removed request for
a team
|
Thank you, I'll review this!
Did you get a sense for how large the fix would be for go-jose when looking into it? |
|
Thanks for review! When I pass raw AWS JWT (which contain extra The header of AWS JWT contain |
|
Another option is adding skip verification flag to Grafana. |
I'm not very fond of that, it feels like that might be error prone with someone using it "to test" and it sticking around 🤔 |
Basically, I agree with you. Skipping verification is recommendation of AWS Support.
I think AWS never fix it. I need this feature. Skipping verification could be workaround... |
That leaves your infrastructure wide open with one accidental change that exposes Grafana. If you're willing to risk that, you can setup proxy auth and use the |
|
I definitely want to see this get finished and merged ... but I agree, it needs to do the full authentication end-to-end. |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically closed because it has not had activity in the last 2 weeks. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
FWIW - AWS ALB support sure would be nice. :-) |
|
+1 from me ALB support would be great |
|
Hey, was this implemented? |
|
This won't be implemented because it's an Enterprise feature. |
What this PR does / why we need it:
Add support for AWS ALB JWT authentication.
AWS ALB is popular service, and it provides authentication feature.
If authentication is enabled, ALB pass header which includes JWT to backend instance.
AWS doesn't provides public key as JWK, and key URL contain key id.
Current Grafana implementation doesn't support it.
There is sample code how to verify JWT in official doc.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding
Which issue(s) this PR fixes:
related to #44261
Special notes for your reviewer:
There is a pitfall. If JWT contain extra padding, go-jose return
error in cryptographic primitiveerror.AWS JWT does not conform to standard.
auth0/node-jws#84 (comment)
golang-jwt/jwt#92
go-jose generate data to be signed from parsed JWT data.
https://github.com/square/go-jose/blob/v2.5.1/jws.go#L105-L138
The computed sign doesn't match to JWT embedded sign.
Currently, I don't have idea to fix this without forking go-jose or switching other library.