-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to validate JWT via external service #377
Comments
Better to implement JWKS validation as alternative to external JWT validation service. I think JWKS hooks for Joken can be used for this. |
Fixes #377. - For subscription requests, JWTs that can't be validated are now ignored. This allows to validate JWTs in an external service as configurable via the SUBMISSION_CHECK and SUBSCRIPTION_CHECK environment variables (which was the intention all along). - Response code changed: when connecting and subscribing at the same time, RIG replies with 403 (instead of 400) when not authorized to do so. - Ill-formed JWTs no longer cause subscription requests to fail. - Fixed SUBMISSION_CHECK=jwt_validation - it failed the check anytime, regardless of whether the JWT was valid.
@patrickmedina should be fixed with #378 - can you confirm? |
@kevinbader Thank you for the fix. It is now working for manual subscriptions, it is now validating against the configured external service via SUBSCRIPTION_CHECK envvar. Can we have this work as well on automatic subscriptions via JWT claims? This will be a great help as well to reduce the API calls and rely on the JWT claims for the subscriptions on initial connection. Currently when passing JWT during websocket connection, it still checks for internal JWT configuration instead of validating against an external service. Request:
or
RIG Logs:
|
Ah, I see. I need to redesign this a bit to only allow invalid JWTs in case SUBSCRIPTION_CHECK isn't set to jwt_validation and generally make this more consistent. It'll take me a few days to do it though. |
Summary and context
How to reproduce
When I run RIG with these settings:
External service is running on port 3000 on host machine and is accessible from docker containers.
External service immediately returns 200 OK for testing and doesn't actually validates the JWT.
RIG Config values:
..and set up clients and services like this:
..I see the following error and/or log output:
..but I really expected this:
Versions (please complete the following information):**
The text was updated successfully, but these errors were encountered: