FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects

Fix trailing slash

Merged Fix trailing slash
fix-trailing-slash into main
1 unresolved thread
Merged Robin Goodall requested to merge fix-trailing-slash into main
1 unresolved thread

Getting the following when verifying JWT in IDhub (possibly first service doing this?)

INFO:apigatewayauth.authentication:Incoming API token failed verification: Token has wrong audience https://webapp-{foobar}-nw.a.run.app, expected one of ['https://webapp-{foobar}-nw.a.run.app/']

Could override expected audience via env var but better the default behaves the same way as the API Gateway creates the JWT.

Part of https://gitlab.developers.cam.ac.uk/uis/devops/iam/idhub/api/-/issues/90

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Robin Goodall assigned to @rjg21

    assigned to @rjg21

    • Dr Rich Wareham
      Dr Rich Wareham @rjw57 ·
      Owner

      FWIW, I expected that API_GATEWAY_JWT_EXPECTED_AUDIENCE would be set when this is deployed as the "canonical" URL for the application is only knowable by the deploying code. E.g. if the app is supposed to be accessed via https://my-cool-backend.service.apps.cam.ac.uk/, then we don't want to accept https://webapp-{...}-nw.a.run.app.

      More generally, I think my intention was that API_GATEWAY_JWT_EXPECTED_AUDIENCE would be set explicitly so that we didn't let the same entity presenting the auth token (being the incoming request in this case) also specify the expected audience (by means of the Host header).

      So, my vote would be to fix this by documenting that API_GATEWAY_JWT_EXPECTED_AUDIENCE should be set by deployments.

    • Dr Rich Wareham
      Dr Rich Wareham @rjw57 ·
      Owner

      But I don't care strongly about it to override this fix. I might suggest accepting both the trailing slash and non-trailing slash versions though?

    • Robin Goodall
      Robin Goodall @rjg21 ·
      Author Owner

      Ok, I'll change it so that:

      1. it is happy with a trailing slash or not even if the audience came from the env var.
      2. there is a line about the audience should really be specified
      3. the idhub/infra specifies the host
      Edited by Robin Goodall
    • Dr Rich Wareham
      Dr Rich Wareham @rjw57 ·
      Owner

      Perfect. TBH, it's really not super-bad if we just use the Host to build the expected audience but it does feel like we're doing the equivalent of a guard saying "this pass you've given me is addressed to Jane the Guard and you've just told me that my name is Jane, so fair 'nuff" :).

    • Please register or sign in to reply
  • Robin Goodall added 3 commits

    added 3 commits

    • f8f98dc5 - fix: allow trailing slash or not in expected audiences
    • 31e0aea0 - chore: version 0.0.7
    • b3448819 - fix: resolve geddit dependency failure

    Compare with previous version

  • Dr Rich Wareham
  • Dr Rich Wareham
  • Robin Goodall added 3 commits

    added 3 commits

    • f1739c31 - fix: allow trailing slash or not in expected audiences
    • e49e9104 - chore: version 0.0.7
    • a050b673 - fix: resolve geddit dependency failure

    Compare with previous version

  • Dr Rich Wareham
  • Robin Goodall added 4 commits

    added 4 commits

    • bc379fa3 - fix: allow trailing slash or not in expected audiences
    • 1ecc32b1 - chore: version 0.0.7
    • 4a8b5f5c - fix: resolve geddit dependency failure
    • 46c403ca - fix: dockerfile for local testing

    Compare with previous version

    Toggle commit list
  • Dr Rich Wareham
  • Dr Rich Wareham approved this merge request

    approved this merge request

  • Robin Goodall mentioned in commit 7ca86706

    mentioned in commit 7ca86706

  • Robin Goodall merged

    merged

    • Please register or sign in to reply