Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jose v4 #248

Merged
merged 3 commits into from
May 21, 2024
Merged

Update jose v4 #248

merged 3 commits into from
May 21, 2024

Conversation

kpcraig
Copy link
Contributor

@kpcraig kpcraig commented May 21, 2024

This is a short PR to update the go-jose library to v4 to avoid possible issues with v2 support, copying hashicorp/vault-plugin-auth-gcp#203

It's possible v2.6.3 also fixes this issue (see https://github.com/go-jose/go-jose/releases/tag/v2.6.3), but this feels more future-proof (and the solution was readily available).

@kpcraig kpcraig requested a review from a team as a code owner May 21, 2024 16:41
@benashz benashz self-requested a review May 21, 2024 16:49
@kpcraig kpcraig merged commit 337d772 into main May 21, 2024
8 checks passed
@kpcraig kpcraig deleted the update-jose-v4 branch May 21, 2024 16:53
kpcraig added a commit that referenced this pull request May 21, 2024
@kpcraig
Revert "Update jose v4 (#248)"
e3ff39a 
This reverts commit 337d772.
@kpcraig
Copy link
Contributor Author

kpcraig commented May 21, 2024

Sorry @benashz , i didn't see the review tag - if you want some more changes I can put them in before the release tag

@benashz
Copy link
Contributor

benashz commented May 21, 2024

@vinay-gopalan @kpcraig - yes, I am fairly certain these changes will break depending on the K8s API server config.

benashz
benashz reviewed May 21, 2024
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to revisit this change.

path_login.go
@@ -43,6 +43,12 @@ var supportedJwtAlgs = []capjwt.Alg{
capjwt.ES256, capjwt.ES384, capjwt.ES512,
}

var allowedSignatureAlgs = []jose.SignatureAlgorithm{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels like we should support setting these from configuration.

path_login.go
var allowedSignatureAlgs = []jose.SignatureAlgorithm{
jose.RS256,
jose.ES256,
jose.HS256,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These don't seem to match what K8s supports, per: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options:

--oidc-signing-algs strings     Default: "RS256"
	

Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a supported 'alg' header values are: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.

kpcraig added a commit that referenced this pull request May 21, 2024
@kpcraig
Revert "Update jose v4 (#248)"
ba694dc 
This reverts commit 337d772.
@kpcraig kpcraig mentioned this pull request May 21, 2024
Merged
kpcraig added a commit that referenced this pull request May 21, 2024
@kpcraig
Revert "Update jose v4 (#248)" (#249)
b61847c 
This reverts commit 337d772.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz benashz left review comments

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kpcraig @benashz @vinay-gopalan