JWK sets #809
JWK sets #809
Conversation
| /// The root authentication key. | ||
| /// If present, all paths will require a token unless they are in the public list. | ||
| #[arg(long = "auth-key", env = "MOQ_AUTH_KEY")] | ||
| #[arg(long = "auth-key", env = "MOQ_AUTH_KEY", conflicts_with = "jwks_uri")] |
There was a problem hiding this comment.
Could we detect if this starts with http instead? Seems cleaner than conflicts_with.
| use std::path::Path; | ||
| use std::sync::{Arc, RwLock}; | ||
|
|
||
| pub trait KeyProvider { |
There was a problem hiding this comment.
I don't think you need a trait. Arc<Mutex<KeySet>> should be good enough, with the (HTTP) background task periodically refreshing the keys.
| #[cfg(feature = "jwks-loader")] | ||
| pub struct KeySetLoader { | ||
| jwks_uri: String, | ||
| keys: RwLock<Option<KeySet>>, |
There was a problem hiding this comment.
I don't like how this is Option. We should gate program start on the keys being loaded.
| ``` | ||
|
|
||
| :::tip The following must be considered: | ||
| - The endpoint must be HTTPS (unless you know what you're doing, then you can set `dangerously_allow_insecure_jwks = true` to allow HTTP) |
There was a problem hiding this comment.
IMO let them configure HTTP if they want. It's probably some local service that provides the keys.
Flags like dangerously_allow_insecure_jwks are typically to disable HTTPS peer validation, not allow HTTP. I understand the extra scrutiny because these are auth keys, but eh it's a config file.
| pub dangerously_allow_insecure_jwks: Option<bool>, | ||
|
|
||
| /// How often to refresh the JWK set (in seconds), if not provided the JWKs won't be refreshed. | ||
| /// Minimum value: 30 |
There was a problem hiding this comment.
What's the default? Nothing?
| #[derive(Default, Clone)] | ||
| pub struct KeySet { | ||
| /// Vec of an arbitrary number of Json Web Keys | ||
| pub keys: Vec<Arc<Key>>, |
| // Test anonymous access to /anon path | ||
| let auth = Auth::new(AuthConfig { | ||
| key: None, | ||
| jwks_uri: None, |
There was a problem hiding this comment.
#[derive(Default)] so you can:
let auth = Auth::new(AuthConfig {
public: Some("anon".to_string()),
..Default::default()
});| pub request: Request, | ||
| pub cluster: Cluster, | ||
| pub auth: Auth, | ||
| pub auth: Arc<Auth>, |
There was a problem hiding this comment.
I generally make classes Clone for aesthetic reasons, keeping Arc an internal implementation detail, but this works too.
2 participants
Addresses #734
Still a draft since I wanna do some more testing myself, add unit tests and also write some documentation on it.
The config looks something like this: