New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: support AWS ALB JWT #45191
Auth: support AWS ALB JWT #45191
Conversation
Thank you, I'll review this!
Did you get a sense for how large the fix would be for go-jose when looking into it? |
Thanks for review! When I pass raw AWS JWT (which contain extra The header of AWS JWT contain |
Another option is adding skip verification flag to Grafana. |
I'm not very fond of that, it feels like that might be error prone with someone using it "to test" and it sticking around 🤔 |
Basically, I agree with you. Skipping verification is recommendation of AWS Support.
I think AWS never fix it. I need this feature. Skipping verification could be workaround... |
That leaves your infrastructure wide open with one accidental change that exposes Grafana. If you're willing to risk that, you can setup proxy auth and use the |
I definitely want to see this get finished and merged ... but I agree, it needs to do the full authentication end-to-end. |
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
This pull request has been automatically closed because it has not had activity in the last 2 weeks. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
FWIW - AWS ALB support sure would be nice. :-) |
+1 from me ALB support would be great |
Hey, was this implemented? |
This won't be implemented because it's an Enterprise feature. |
What this PR does / why we need it:
Add support for AWS ALB JWT authentication.
AWS ALB is popular service, and it provides authentication feature.
If authentication is enabled, ALB pass header which includes JWT to backend instance.
AWS doesn't provides public key as JWK, and key URL contain key id.
Current Grafana implementation doesn't support it.
There is sample code how to verify JWT in official doc.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding
Which issue(s) this PR fixes:
related to #44261
Special notes for your reviewer:
There is a pitfall. If JWT contain extra padding, go-jose return
error in cryptographic primitive
error.AWS JWT does not conform to standard.
auth0/node-jws#84 (comment)
golang-jwt/jwt#92
go-jose generate data to be signed from parsed JWT data.
https://github.com/square/go-jose/blob/v2.5.1/jws.go#L105-L138
The computed sign doesn't match to JWT embedded sign.
Currently, I don't have idea to fix this without forking go-jose or switching other library.