Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[THREESCALE-11474] JWT signature verification, support for ES256/ES512 #1533

Merged
merged 7 commits into from
Feb 3, 2025
Merged

[THREESCALE-11474] JWT signature verification, support for ES256/ES512 #1533

merged 7 commits into from
Feb 3, 2025

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Jan 31, 2025
edited
Loading

What

https://issues.redhat.com/browse/THREESCALE-11474

Notes

Due to lua-resty-jwt is somewhat abandon, we need to rebuild lua-resty-jwt to include the authentication bypass fix

cat <<EOF >lua-resty-jwt-0.2.3-1.rockspec
rockspec_format = '3.0'
package = 'lua-resty-jwt'
version = '0.2.3-1'
source = {
  url = 'git://github.com/cdbattags/lua-resty-jwt',
}
description = {
  summary = 'JWT for ngx_lua and LuaJIT.',
  detailed = [[
    This library requires an nginx build
    with OpenSSL, the ngx_lua module,
    the LuaJIT 2.0, the lua-resty-hmac,
    and the lua-resty-string,
  ]],
  homepage = 'https://github.com/cdbattags/lua-resty-jwt',
  license = 'Apache License Version 2'
}
dependencies = {
  'lua >= 5.1',
  'lua-resty-openssl >= 0.6.8'
}
build = {
  type = 'builtin',
  modules = {
    ['resty.jwt'] = 'lib/resty/jwt.lua',
    ['resty.evp'] = 'lib/resty/evp.lua',
    ['resty.jwt-validators'] = 'lib/resty/jwt-validators.lua',
    ['resty.hmac'] = 'third-party/lua-resty-hmac/lib/resty/hmac.lua'
  }
}
EOF
  • Pack into .rock file
luarocks pack lua-resty-jwt-0.2.3-1.rockspec

Verification steps:

  1. Checkout this branch
  2. Build runtime-image
make runtime-image IMAGE_NAME=apicast-test
  1. Start dev-environment
cd dev-environments/keycloak-env
make gateway IMAGE_NAME=apicast-test
  1. Seed keycloak data
make keycloak-data
  1. Open browser and navigate to the keycloak admin page at http://127.0.0.1:9090
  2. Login with username: admin and password: adminpass
  3. Navigate to basic realm, then clients -> my-client -> Advanced
  4. Change Access token signature algorithm to ES256, then click Save
  5. Get access token
export ACCESS_TOKEN=$(make token)
  1. Open another tab in the browser and navigate to http://jwt.io and paste the access token to decode. Check that "alg": "ES256"
  2. Send request to APIcast
curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080"
  1. Request should returns 200.
  2. Navigate back to the keycloak portal and change Access token signature algorithm to ES512, then click Save
  3. Repeat step 9 to 12

@tkan145 tkan145 requested a review from a team as a code owner January 31, 2025 06:19
@tkan145 tkan145 changed the title WIP - [THREESCALE-11474] Update lua-resty-jwt to v0.2.3 WIP - [THREESCALE-11474] JWT signature verification, support for ES256/ES512 Feb 3, 2025
@tkan145 tkan145 changed the title WIP - [THREESCALE-11474] JWT signature verification, support for ES256/ES512 [THREESCALE-11474] JWT signature verification, support for ES256/ES512 Feb 3, 2025
@tkan145 tkan145 merged commit cd477ef into 3scale:master Feb 3, 2025
14 checks passed
@tkan145 tkan145 deleted the THREESCALE-11474-resty-jwt-0.2.3 branch February 3, 2025 23:15
@tkan145 tkan145 mentioned this pull request Feb 4, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tkan145 @eguzki