[
https://issues.apache.org/jira/browse/IMPALA-12232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Fehr updated IMPALA-12232:
--------------------------------
Description:
RFC 8725 contains JWT best practices that state the audience ("AUD") and issuer
("ISS") claims from a JWT should be validated if they are present. Impala
currently has no mechanism to validate these claims.
Implement [ISS claim
validation|https://datatracker.ietf.org/doc/html/rfc8725#name-validate-issuer-and-subject]
and [AUD claim
validation|https://datatracker.ietf.org/doc/html/rfc8725#name-use-and-validate-audience]
for both JWT and OAuth tokens.
# Add support for two new elements in the oauth_servers flag JSON object:
## audienceClaims – array of strings, List of allowed values for the token’s
aud claim.
## issuerClaims – array of strings, List of allowed values for the token’s iss
claim.
# If an incoming HTTP request contains the Authorization header, and that
header’s value begins with Bearer, then verify that token using these rules (in
this order). Some of these verification steps are already present:
## Ensure the token contains two periods and only alphanumeric characters and
equal signs.
## Verify the token can be decoded into a JWT.
## Verify the token using the JWK that it declares issued it. If no JWK is
declared, then try each JWK.
## If the JWKS configuration defines audience claims, ensure the token has the
aud claim and that claim’s value is one of the allowed audiences.
## If the JWKS configuration defines issuer claims, ensure the token has the
iss claim and that claim’s value is one of the allowed issuers.
# Log successful or failed token authentication attempts and include the
client ip, username (based on the configured username claim, audience (aud
claim), issuer (iss claim), and key id (kid claim) from the provided JWT (if it
could be decoded).
was:
RFC 8725 contains JWT best practices that state the audience ("AUD") and issuer
("ISS") claims from a JWT should be validated if they are present. Impala
currently has no mechanism to validate these claims.
Implement [ISS claim
validation|https://datatracker.ietf.org/doc/html/rfc8725#name-validate-issuer-and-subject]
and [AUD claim
validation|https://datatracker.ietf.org/doc/html/rfc8725#name-use-and-validate-audience]
for both JWT and OAuth tokens.
> Verify JWT Audience and Issuer Claims
> -------------------------------------
>
> Key: IMPALA-12232
> URL: https://issues.apache.org/jira/browse/IMPALA-12232
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Security
> Reporter: Jason Fehr
> Assignee: Jason Fehr
> Priority: Major
> Labels: Impala, JWT, impala, jwt, security
>
> RFC 8725 contains JWT best practices that state the audience ("AUD") and
> issuer ("ISS") claims from a JWT should be validated if they are present.
> Impala currently has no mechanism to validate these claims.
> Implement [ISS claim
> validation|https://datatracker.ietf.org/doc/html/rfc8725#name-validate-issuer-and-subject]
> and [AUD claim
> validation|https://datatracker.ietf.org/doc/html/rfc8725#name-use-and-validate-audience]
> for both JWT and OAuth tokens.
> # Add support for two new elements in the oauth_servers flag JSON object:
> ## audienceClaims – array of strings, List of allowed values for the token’s
> aud claim.
> ## issuerClaims – array of strings, List of allowed values for the token’s
> iss claim.
> # If an incoming HTTP request contains the Authorization header, and that
> header’s value begins with Bearer, then verify that token using these rules
> (in this order). Some of these verification steps are already present:
> ## Ensure the token contains two periods and only alphanumeric characters
> and equal signs.
> ## Verify the token can be decoded into a JWT.
> ## Verify the token using the JWK that it declares issued it. If no JWK is
> declared, then try each JWK.
> ## If the JWKS configuration defines audience claims, ensure the token has
> the aud claim and that claim’s value is one of the allowed audiences.
> ## If the JWKS configuration defines issuer claims, ensure the token has the
> iss claim and that claim’s value is one of the allowed issuers.
> # Log successful or failed token authentication attempts and include the
> client ip, username (based on the configured username claim, audience (aud
> claim), issuer (iss claim), and key id (kid claim) from the provided JWT (if
> it could be decoded).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
