Basic JWT-based authentication and authorization #8627
+956
−54
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grtlr
added
exclude from changelog
|
Web viewer built successfully. If applicable, you should also test it:
Note: This comment is updated whenever you push a commit. |
jleibs
reviewed
Jan 10, 2025
Comment on lines
+19
to
+28
| /// A common secret that is shared between the client and the server. | ||
| /// | ||
| /// This represents a symmetric authentication scheme, which means that the | ||
| /// same key is used to both sign and verify the token. | ||
| /// In the future, we will need to support asymmetric schemes too. | ||
| /// | ||
| /// The key is stored unencrypted in memory. | ||
| #[derive(Clone)] | ||
| #[repr(transparent)] | ||
| pub struct SecretKey(HS256Key); |
There was a problem hiding this comment.
As discussed, this key should not actually be shared by clients.
This key is exclusively for the identity provider. The fact that we are going to share the key with clients so they can act as their own identity-provider is more of a short-term management detail.
I would actually move this whole bit into another module like provider.rs
Comment on lines
+9
to
+11
| pub struct Permission { | ||
| write: bool, | ||
| } |
There was a problem hiding this comment.
The fact that write=false still implies read isn't totally obvious or necessarily expected.
Let's be explicit:
Suggested change
| pub struct Permission { | |
| write: bool, | |
| } | |
| pub enum Permission { | |
| ReadOnly, | |
| ReadWrite | |
| } |
jleibs
reviewed
Jan 10, 2025
| token::Token, | ||
| }; | ||
|
|
||
| /// A common secret that is shared between the client and the server. |
There was a problem hiding this comment.
Suggested change
| /// A common secret that is shared between the client and the server. | |
| /// A secret key that is used to generate and verify tokens. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
This adds a new
re_authcrate with the following features:jwt-simpleso that we can swap it out.SecretKeyfrom/tobase64to be used withredap-cli.tonic::Interceptors for both client and server side middleware with anauthorization: Bearer <token>header.Here is what a
SecretKey(HS256) looks like inbase64:We can use that to generate a basic token:
Which you can verify yourself via www.jwt.io.