Allow using multiple keys and selecting between them via kid#40
Allow using multiple keys and selecting between them via kid#40kfirg-cetu wants to merge 1 commit intohaproxytech:masterfrom
Conversation
JWT contains a mechanism for selecting the correct key by using an identifier. This commit adds an ability to use a different key based on the parameter in the JWT to verify. To make sure that the change doesn't introduce any issues a new test script was added to run some sanity tests.
|
maybe better added (didn't check whether it's already there) in the mainline/integrated C JWT code: |
| ## Support for multiple keys | ||
|
|
||
| This library support specifying multiple keys values in the JWT token. They should be specified as a JSON array of strings. | ||
| You can also accept multiple audience values in the `OAUTH_KID` and `OAUTH_PUBKEY_PATH` environment variables in the **haproxy.cfg** file. Separate each value |
There was a problem hiding this comment.
Replace "audience values" with "key identifier values"?
| - ./example/haproxy/pem/pubkey.pem:/etc/haproxy/pem/pubkey.pem | ||
| - ./example/haproxy/pem/pubkey2.pem:/etc/haproxy/pem/pubkey2.pem | ||
| - ./example/haproxy/pem/test.com.pem:/etc/haproxy/pem/test.com.pem | ||
| - ./lib/jwtverify.lua:/usr/local/share/lua/5.4/jwtverify.lua |
There was a problem hiding this comment.
In the existing repo, jwtverify.lua gets installed by example/haproxy/install.sh line 120:
install_luaoauth() {
printf "\r[+] Installing haproxy-lua-oauth\n"
if [ ! -e $lua_dep_dir ]; then
mkdir -p $lua_dep_dir;
fi;
cp $CWD/lib/*.lua $lua_dep_dir
}which tests the install script. What's the reason to overwrite that installed lua file with a Docker volume?
| @@ -0,0 +1,316 @@ | |||
| #!/bin/bash | |||
|
|
|||
| # Function to wait for containers to be up | |||
There was a problem hiding this comment.
Might be good to add a comment at the top that explains generally what test.sh does.
When I ran it, I got an error:
[2024-09-24 22:23:20] [ERROR] test_second_key_usage_pass failed
Am I missing a step? Here is the log.txt
| @@ -25,6 +25,7 @@ if not config then | |||
| config = { | |||
There was a problem hiding this comment.
Could you please copy the updated lib/jwtverify.lua to example/haproxy/lib/jwtverify.lua? It's the same file, but copied into the example.
3 participants
JWT contains a mechanism for selecting the correct key by using an identifier. This commit adds an ability to use a different key based on the parameter in the JWT to verify.
To make sure that the change doesn't introduce any issues a new test script was added to run some sanity tests.