[
https://issues.apache.org/jira/browse/IMPALA-12232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Fehr reassigned IMPALA-12232:
-----------------------------------
Assignee: Anubhav Jindal (was: Jason Fehr)
> Verify JWT Audience and Issuer Claims
> -------------------------------------
>
> Key: IMPALA-12232
> URL: https://issues.apache.org/jira/browse/IMPALA-12232
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Security
> Reporter: Jason Fehr
> Assignee: Anubhav Jindal
> Priority: Major
> Labels: Impala, JWT, impala, jwt, security
>
> RFC 8725 contains JWT best practices that state the audience ("AUD") and
> issuer ("ISS") claims from a JWT should be validated if they are present.
> Impala currently has no mechanism to validate these claims.
> Implement [ISS claim
> validation|https://datatracker.ietf.org/doc/html/rfc8725#name-validate-issuer-and-subject]
> and [AUD claim
> validation|https://datatracker.ietf.org/doc/html/rfc8725#name-use-and-validate-audience]
> for both JWT and OAuth tokens.
> # Add support for two new elements in the oauth_servers flag JSON object:
> ## audienceClaims – array of strings, List of allowed values for the token’s
> aud claim.
> ## issuerClaims – array of strings, List of allowed values for the token’s
> iss claim.
> # If an incoming HTTP request contains the Authorization header, and that
> header’s value begins with Bearer, then verify that token using these rules
> (in this order). Some of these verification steps are already present:
> ## Ensure the token contains two periods and only alphanumeric characters
> and equal signs.
> ## Verify the token can be decoded into a JWT.
> ## Verify the token using the JWK that it declares issued it. If no JWK is
> declared, then try each JWK.
> ## If the JWKS configuration defines audience claims, ensure the token has
> the aud claim and that claim’s value is one of the allowed audiences.
> ## If the JWKS configuration defines issuer claims, ensure the token has the
> iss claim and that claim’s value is one of the allowed issuers.
> # Log successful or failed token authentication attempts and include the
> client ip, username (based on the configured username claim, audience (aud
> claim), issuer (iss claim), and key id (kid claim) from the provided JWT (if
> it could be decoded).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
