Support OIDC in Aerie-UI by adding JWKS Support.#131
Open
pranav-super wants to merge 4 commits intodevelopfrom
Open
Support OIDC in Aerie-UI by adding JWKS Support.#131pranav-super wants to merge 4 commits intodevelopfrom
pranav-super wants to merge 4 commits intodevelopfrom
Conversation
pranav-super
requested review from
AaronPlave,
cohansen,
dandelany,
jmdelfa and
joswig
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pranav-super
force-pushed
the
feature/oidc-support
branch
2 times, most recently
from
b70a375 to
1a8de26
Compare
|
jmorton
force-pushed
the
feature/oidc-support
branch
from
1a8de26 to
ec62a16
Compare
Add support for verifying JWTs using JWKS (JSON Web Key Set) endpoints, enabling integration with OIDC providers like Keycloak. - Add jwks-rsa dependency for fetching and caching JWKS - Update JWT verification to support both static secrets and JWKS URLs - Update JWT expiration type to work with jwt.SignOptions Co-authored-by: Pranav Subramanian <pranav.subramanian@nasa.gov>
- Add issuer and audience fields to JwtSecret type - Validate issuer/audience claims when configured in HASURA_GRAPHQL_JWT_SECRET - Fix JWKS error handling to properly propagate errors - Change default JWT algorithm from HS256 to RS256 (matches Aerie UI) - Use JWT_ALGORITHMS env var instead of hardcoded algorithm list - Update .env.template with OIDC configuration examples Co-authored-by: Pranav Subramanian <pranav.subramanian@nasa.gov>
Tests cover: - Authorization header parsing (Bearer token extraction, error cases) - RS256 token verification with static key - Issuer validation (rejection on mismatch, acceptance when correct) - Audience validation (single value and array) - Combined issuer + audience validation - Skipped validation when not configured (backward compatibility) - Expired token handling - HS256 token verification Co-authored-by: Pranav Subramanian <pranav.subramanian@nasa.gov>
Adds environment variables to configure JWT claim paths, allowing deployments to use custom namespaces and claim names that match their OIDC provider's token structure: - JWT_CLAIMS_NAMESPACE: The namespace key in the JWT (default: https://hasura.io/jwt/claims) - JWT_CLAIMS_USER_ID: Claim name for user ID (default: x-hasura-user-id) - JWT_CLAIMS_ALLOWED_ROLES: Claim name for allowed roles (default: x-hasura-allowed-roles) - JWT_CLAIMS_DEFAULT_ROLE: Claim name for default role (default: x-hasura-default-role) This matches the claim path configurability in Aerie UI, enabling consistent configuration across both applications when using custom OIDC providers like Keycloak. Co-Authored-By: Pranav Subramanian <pranav@example.com>
jmorton
force-pushed
the
feature/oidc-support
branch
from
ec62a16 to
19b633c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR compliments this Aerie-UI PR, and introduces support in Gateway for JWKS decoding. Since the OIDC flow in Aerie can call the session endpoint in the gateway, which verifies the token, support for JWKS is crucial.