Add support for AssumeRoleWithWebIdentity (#6985)

2025-11-10 22:10:12 -05:00 · 2019-01-04 13:48:12 -08:00
parent e82dcd195c
commit 2d19011a1d
14 changed files with 553 additions and 91 deletions
--- a/pkg/iam/validator/jwt.go
+++ b/pkg/iam/validator/jwt.go
@@ -34,8 +34,8 @@ import (

 // JWKSArgs - RSA authentication target arguments
 type JWKSArgs struct {
-	URL       *xnet.URL `json:"url"`
-	publicKey crypto.PublicKey
+	URL        *xnet.URL `json:"url"`
+	publicKeys map[string]crypto.PublicKey
 }

 // Validate JWT authentication target arguments
@@ -64,9 +64,14 @@ func (r *JWKSArgs) PopulatePublicKey() error {
 		return err
 	}

-	r.publicKey, err = jwk.Keys[0].DecodePublicKey()
-	if err != nil {
-		return err
+	r.publicKeys = make(map[string]crypto.PublicKey)
+	for _, key := range jwk.Keys {
+		var publicKey crypto.PublicKey
+		publicKey, err = key.DecodePublicKey()
+		if err != nil {
+			return err
+		}
+		r.publicKeys[key.Kid] = publicKey
 	}

 	return nil
@@ -172,18 +177,19 @@ func newCustomHTTPTransport(insecure bool) *http.Transport {

 // Validate - validates the access token.
 func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error) {
+	jp := new(jwtgo.Parser)
+	jp.ValidMethods = []string{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"}
+
 	keyFuncCallback := func(jwtToken *jwtgo.Token) (interface{}, error) {
-		if _, ok := jwtToken.Method.(*jwtgo.SigningMethodRSA); !ok {
-			if _, ok = jwtToken.Method.(*jwtgo.SigningMethodECDSA); ok {
-				return p.args.publicKey, nil
-			}
-			return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
+		kid, ok := jwtToken.Header["kid"].(string)
+		if !ok {
+			return nil, fmt.Errorf("Invalid kid value %v", jwtToken.Header["kid"])
 		}
-		return p.args.publicKey, nil
+		return p.args.publicKeys[kid], nil
 	}

 	var claims jwtgo.MapClaims
-	jwtToken, err := jwtgo.ParseWithClaims(token, &claims, keyFuncCallback)
+	jwtToken, err := jp.ParseWithClaims(token, &claims, keyFuncCallback)
 	if err != nil {
 		if err = p.args.PopulatePublicKey(); err != nil {
 			return nil, err
--- a/pkg/iam/validator/jwt_test.go
+++ b/pkg/iam/validator/jwt_test.go
@@ -44,10 +44,10 @@ func TestJWT(t *testing.T) {
 		t.Fatalf("Expected 1 keys, got %d", len(jk.Keys))
 	}

-	keys := make([]crypto.PublicKey, len(jk.Keys))
+	keys := make(map[string]crypto.PublicKey, len(jk.Keys))
 	for ii, jks := range jk.Keys {
 		var err error
-		keys[ii], err = jks.DecodePublicKey()
+		keys[jks.Kid], err = jks.DecodePublicKey()
 		if err != nil {
 			t.Fatalf("Failed to decode key %d: %v", ii, err)
 		}
@@ -59,8 +59,8 @@ func TestJWT(t *testing.T) {
 	}

 	jwt := NewJWT(JWKSArgs{
-		URL:       u1,
-		publicKey: keys[0],
+		URL:        u1,
+		publicKeys: keys,
 	})
 	if jwt.ID() != "jwt" {
 		t.Fatalf("Uexpected id %s for the validator", jwt.ID())