jwt credential does not have "username" but "key" #4993
Conversation
the key (i.e. iss - jwt issuer) represents the authenticated jwt credential
|
@davinwang hi, that is indeed dead code because |
change credential.username to credential.key in if condition
|
@hishanmhm hi, my bad, forgot to change the credential.username in if condition ;-) |
|
@davinwang We end up in a strange situation because the JWT key is not really a "username"... I don't know if it wouldn't cause more confusion than the benefit of consistency between plugins. |
|
@hishamhm I think the consistency is about how to define X-Credential-Username. For me, it represents the identity of the authenticated key, just like X-Consumer-Username represents for the identity of authenticated consumer. Whether its name is "key" or "username" is not the most important problem to me. Basic-auth and hmac-auth use "username", key-auth and jwt-auth use "key", unless we migrate the database schema. |
|
Hi, we have discussed this internally and we think X-Credential-Username is not appropriate for "key" plugins. Instead we think it would be better to add a new header called X-Credential-Identifier on every auth plugin, and at the same time keep X-Credential-Username on the plugins which already use it. |
|
Hi, what I was suggesting is that you changed the header in your PR to Apologies if this wasn't clear. |
|
@kikito Hi, I changed the PR according to above discussion, please feel free to advise |
|
Hi @davinwang, thanks for your changes. Do you mind changing the target branch from |
|
Thank you @davinwang, the PR is now merged! Please go ahead and grab a t-shirt: https://github.com/Kong/kong/blob/master/CONTRIBUTING.md#contributor-t-shirt :-) |
### Summary Adds test for a feature contributed by community member @davinwang.
…redential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `Basic Auth Plugin`.
…dential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `Key Auth Plugin`.
…edential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `HMAC Auth Plugin`.
…edential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `LDAP Auth Plugin`.
…ntial-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `OAuth2 Plugin`. This feature was originally implemented by @lucasmoreno on PR #5201. Thank you, Lucas, grab your T-shirt: https://github.com/Kong/kong/blob/master/CONTRIBUTING.md#contributor-t-shirt! I just refactored @lucasmoreno's code to use our generic `X-Credential-Identifier` header instead of the proposed `X-Credential-Client-Id`. ### Issues Resolved Closes #5201
…dential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `Key Auth Plugin`.
…edential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `HMAC Auth Plugin`.
…edential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `LDAP Auth Plugin`.
…ntial-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `OAuth2 Plugin`. This feature was originally implemented by @lucasmoreno on PR #5201. Thank you, Lucas, grab your T-shirt: https://github.com/Kong/kong/blob/master/CONTRIBUTING.md#contributor-t-shirt! I just refactored @lucasmoreno's code to use our generic `X-Credential-Identifier` header instead of the proposed `X-Credential-Client-Id`. ### Issues Resolved Closes #5201
…redential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `Basic Auth Plugin`.
…dential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `Key Auth Plugin`.
…edential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `HMAC Auth Plugin`.
…edential-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `LDAP Auth Plugin`.
…ntial-Username) ### Summary The PR #4993 implemented `X-Credential-Identifier` for `JWT Plugin` and it was decided at time that we should add support for this less opinionated field name on other auth plugins too. This commit adds it to `OAuth2 Plugin`. This feature was originally implemented by @lucasmoreno on PR #5201. Thank you, Lucas, grab your T-shirt: https://github.com/Kong/kong/blob/master/CONTRIBUTING.md#contributor-t-shirt! I just refactored @lucasmoreno's code to use our generic `X-Credential-Identifier` header instead of the proposed `X-Credential-Client-Id`. ### Issues Resolved Closes #5201
Summary
The jwt credential according to its database definition, does not have username but key. The key can be used to represents the authenticated jwt_credential.
Full changelog
Issues resolved
X-Credential-Username is correctly set with jwt credential.key (i.e. iss - jwt issuer) which represents the authenticated jwt credential. Therefore other plugins relying on X-Credential-Username will work.
Fix #XXX