keratin / authn-rb Goto Github PK
View Code? Open in Web Editor NEWRuby client library for Keratin AuthN
Home Page: https://github.com/keratin/authn
License: GNU Lesser General Public License v3.0
Ruby client library for Keratin AuthN
Home Page: https://github.com/keratin/authn
License: GNU Lesser General Public License v3.0
Currently, JWKs are fetched from the JWT iss
after verifying that the iss
is equivalent to the configuration. This should be refactored so that keys are fetched directly from the configured issuer and made available to the token verifier by kid
.
The expected benefit is a clearer verification process that does not depend on transitive trust
The audience is setup as a static configuration within this library which makes it currently impossible to allow a single backend to service multiple front-end domains.
From the README.md example it shows this configuration
Keratin::AuthN.config.tap do |config|
# The base URL of your Keratin AuthN service
config.issuer = 'https://authn.myapp.com'
# The domain of your application
config.audience = 'myapp.com'
# HTTP basic auth for using AuthN's private endpoints
config.username = 'secret'
config.password = 'secret'
end
and within id_token_verifier.rb
it's grabbing the audience out of the configuration for verification.
def token_for_us?
jwt[:aud] == Keratin::AuthN.config.audience
end
However, if we have multiple frontend servers hitting the same backend API we will only be able to service one of them.
I can set the configuration to one or the other but not both. It would be nice if we could pass a parameter (maybe optional) into subject_from
as an audience override. That way we can take the referrer header from the request and pass it through. That should allow for the audience verification but allow it to work a bit more dynamically.
Configuration should allow a separate URL for issuing requests to private endpoints.
This is intended to solve a tricky bit of setup in deployments where communication between services goes over a private network. Currently, this setup requires configuring authn-server and the backend with the private URL as issuer, while configuring the frontend with the public URL.
config.issuer
: must match the iss
claim in authn-server tokensconfig.authn_url
: provides the base url for private communication with authn-server (defaults to config.issuer
)Hey @cainlevy, I'm curious, are you open to extending this project so that the caller of subject_from
can get better information than the id token verification worked/failed?
One way I have implemented this is, is by raising errors in the verifier and then catching that error in the application controller and then returning the error's message to the client. I have found this very helpful when working on projects so that you can know why the login failed.
Thoughts?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.