Remove requirement for issued at JWT claims (#5364)

Remove the requirement for IssuedAt claims from JWT
for now, since we do not currently have a way to provide
a leeway window for validating the claims. Expiry does
the same checks as IssuedAt with an expiry window.

We do not need it right now since we have clock skew check
in our RPC layer to handle this correctly.

rpc-common.go
```
func isRequestTimeAllowed(requestTime time.Time) bool {
        // Check whether request time is within acceptable skew time.
        utcNow := UTCNow()
        return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed ||
                utcNow.Sub(requestTime) > rpcSkewTimeAllowed)
}
```

Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139
We can bring in support for leeway later.

Fixes #5237
This commit is contained in:
Harshavardhana 2018-01-10 10:34:00 -08:00 committed by kannappanr
parent 3f8379d07d
commit b526cd7e55

View File

@ -63,14 +63,11 @@ func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string,
return "", errAuthentication return "", errAuthentication
} }
utcNow := UTCNow() jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{ ExpiresAt: UTCNow().Add(expiry).Unix(),
ExpiresAt: utcNow.Add(expiry).Unix(),
IssuedAt: utcNow.Unix(),
Subject: accessKey, Subject: accessKey,
}) })
return jwt.SignedString([]byte(serverCred.SecretKey))
return token.SignedString([]byte(serverCred.SecretKey))
} }
func authenticateNode(accessKey, secretKey string) (string, error) { func authenticateNode(accessKey, secretKey string) (string, error) {
@ -127,7 +124,7 @@ func webRequestAuthenticate(req *http.Request) error {
return errAuthentication return errAuthentication
} }
if err = claims.Valid(); err != nil { if err = claims.Valid(); err != nil {
return err return errAuthentication
} }
if claims.Subject != globalServerConfig.GetCredential().AccessKey { if claims.Subject != globalServerConfig.GetCredential().AccessKey {
return errInvalidAccessKeyID return errInvalidAccessKeyID