Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(jans-cedarling)!: move TOKEN_CONFIGS into the token_metadata schema #10888

Open
rmarinn opened this issue Feb 18, 2025 · 11 comments · May be fixed by #10972
Open

refactor(jans-cedarling)!: move TOKEN_CONFIGS into the token_metadata schema #10888

rmarinn opened this issue Feb 18, 2025 · 11 comments · May be fixed by #10972
Assignees
@rmarinn
Labels
comp-jans-cedarling Touching folder /jans-cedarling enhancement kind-enhancement Issue or PR is an enhancement to an existing functionality
Milestone
next-release

Comments

@rmarinn
Copy link
Contributor

rmarinn commented Feb 18, 2025
edited by nynymike
Loading

Is your feature request related to a problem? Please describe.

Currently, defining and using tokens into requires a user to do 4 things:

1. Have the token defined in the CEDARLING_TOKEN_CONFIGS

CEDARLING_TOKEN_CONFIGS = {
    "access_token": {
        "entity_type_name": "Access_token",
        "iss": "enabled",
        "aud": "enabled",
        "sub": "enabled",
        "exp": "enabled"
    }
}

2. Have the entity of the token defined in the cedar schema

entity Access_token = {
    "iss": TrustedIssuer, 
    "aud": __cedar::String, 
    "sub": __cedar::String, 
    "exp": __cedar::Long, 
    "scope": __cedar::String
};

3. And define it in the Trusted Issuer Metadata Schema:

{
    "name": "Google", 
    "description": "Consumer IDP", 
    "openid_configuration_endpoint": "https://accounts.google.com/.well-known/openid-configuration",
    "tokens_metadata": {
        "access_token": {
            "trusted": true,
            "principal_identifier": "jti",
            "user_id": "OPTIONAL email | sub | uid",
            "role_mapping": "OPTIONAL role | group | memberOf",
            "claim_mapping": { ... }
        },
    },
}
  1. Set the CEDARLING_TOKEN_ENTITY_MAPPER bootstrap property as follows:
{
    "id_token": "Jans::User",
    "userinfo_token": "Jans::User",
    "access_token": "Jans::Workload",
    "customer1_token": "Customer::Widget"
}

This having to look at four places to figure out where the token entity will go introduces some confusion and could be improved.

Describe the solution you'd like

We can reduce this into two steps by moving removing the CEDARLING_TOKEN_CONFIGS then moving it's contents to the Trusted Issuer Metadata schema:

{
    "name": "Google", 
    "description": "Consumer IDP", 
    "openid_configuration_endpoint": "https://accounts.google.com/.well-known/openid-configuration",
    "tokens_metadata": {
        "access_token": {
            "trusted": true,
            "entity_type_name": "Jans::AccessToken",        <-- Cedar Object of token
            "principal_mapping": ["Jans::Workload"],          <-- Where to put this token
            "token_id": "jti",                            <-- Should always be jti 
            "user_id": "email | sub | uid",               <--- OPTIONAL
            "role_mapping": "role | group | memberOf",       <--- OPTIONAL
            "workload_id" : "client_id | rp_id",               <--- OPTIONAL 
            "claim_mapping": { ... },
            "required_claims": ["jti", "iss", "aud", "sub", "exp", "nbf", "some_custom_claim"]
        },
    },
}

Implementation:

  • Token Validation: This will be implemented through the "required_claims" field in the respective token entity. If a required claim is a registered claim name under RFC 7519 Section 4.1, the claim will be validated.
  • Token Entity Name: This field defines the Cedar entity name of the token. This is implemented through the "token_entity_name" field in the respective token entity. Note that the token entity defined here MUST also be defined in the Cedar schema. Also note that the token name here will be how we reference the token in when calling Cedarling.authorize().
  • Token -> Entity Mapping: This mapping defines which entities the token will be in. This will be implemented through the "entity_mapping" field in the respective token entity. Note that if an entity mapping is defined here, the entity MUST also be defined in the Cedar schema.

Describe alternatives you've considered

  • Having a single JSON/YAML/TOML config where we define everything then compile it into the cedar schema.
  • Defining the tokens in the cedar schema using comments, drawing inspiration from JSDoc.

Additional context

At the time of this writing, it was discussed that we'll settle for having to define the tokens in two places since it's still better than 3 places but we don't really want to touch the cedar schema.
@rmarinn rmarinn self-assigned this Feb 18, 2025
@mo-auto mo-auto added comp-jans-cedarling Touching folder /jans-cedarling kind-enhancement Issue or PR is an enhancement to an existing functionality labels Feb 18, 2025
@olehbozhok
Copy link
Contributor

why we need "required_claims": ["jti", "iss", "aud", "sub", "exp", "nbf", "some_custom_claim"] if it is defined in schema?

@olehbozhok
Copy link
Contributor

and why we need "entity_type_name": "Jans::AccessToken" and "entity_mapping": ["Jans::Workload", "Jans::User"], if it makes actually the same things?

@olehbozhok
Copy link
Contributor

olehbozhok commented Feb 18, 2025
edited
Loading

Also, we need to define what key will be used as UID for cedar-policy entity.
It means that entity_mapping should be object:

"entity_mapping": {"Jans::AccessToken":{"uid_claim":"jti"}}

or array of object:

"entity_mapping": [
  {
    "entity":"Jans::AccessToken",
    "uid_claim":"jti"
  }
]

Also, this approach allows extending if some requirements will be changed.

__
P.S.: And using this approach we no need key role_mapping because can be used entity_mapping

@nynymike
Copy link
Contributor

nynymike commented Feb 18, 2025
edited
Loading

We missed something--part of this was already done https://github.com/JanssenProject/jans/wiki/Cedarling-Nativity-Plan#token-entity-mapper

{
    "id_token": "Jans::User",
    "userinfo_token": "Jans::User",
    "access_token": "Jans::Workload",
    "customer1_token": "Customer::Widget"
}

@rmarinn
Copy link
Contributor Author

rmarinn commented Feb 19, 2025

We missed something--part of this was already done https://github.com/JanssenProject/jans/wiki/Cedarling-Nativity-Plan#token-entity-mapper

we should probably just remove that too so the user doesn't have to look at the bootstrap config for the mapping.

I think it's a better user experience to have the settings regarding tokens with the token entity metadata schema.

@rmarinn
Copy link
Contributor Author

rmarinn commented Feb 19, 2025

Also, we need to define what key will be used as UID for cedar-policy entity. It means that entity_mapping should be object:

"entity_mapping": {"Jans::AccessToken":{"uid_claim":"jti"}}

or array of object:

"entity_mapping": [
  {
    "entity":"Jans::AccessToken",
    "uid_claim":"jti"
  }
]

Also, this approach allows extending if some requirements will be changed.

__ P.S.: And using this approach we no need key role_mapping because can be used entity_mapping

  1. The entity_mapping says in which principal entities the token entity can appear.
  2. The entity_type_name is the name of the token entity, e.g. "Access_token".

@rmarinn
Copy link
Contributor Author

rmarinn commented Feb 19, 2025
edited
Loading

why we need "required_claims": ["jti", "iss", "aud", "sub", "exp", "nbf", "some_custom_claim"] if it is defined in schema?

It was discussed to not use the Cedar schema as a way to define behavior anymore.

@olehbozhok
Copy link
Contributor

olehbozhok commented Feb 19, 2025
edited
Loading

  • The entity_mapping says in which principal entities the token entity can appear.
  • The entity_type_name is the name of the token entity, e.g. "Access_token".

Thanks for explanation, please don't forget to add it to documentation

@olehbozhok
Copy link
Contributor

just for note

Image

@ossdhaval
Copy link
Contributor

ossdhaval commented Feb 25, 2025
edited
Loading

@rmarinn If this is a breaking change (requiring a major release) then you can change the title to refactor(jans-cedarling)! instead of refactor!(jans-cedarling). Refer here

@rmarinn rmarinn changed the title refactor!(jans-cedarling): move TOKEN_CONFIGS into the token_metadata schema refactor(jans-cedarling)!: move TOKEN_CONFIGS into the token_metadata schema Feb 25, 2025
@rmarinn
Copy link
Contributor Author

rmarinn commented Feb 25, 2025

@rmarinn If this is a breaking change (requiring a major release) then you can change the title to refactor(jans-cedarling)! instead of refactor!(jans-cedarling). Refer here

Okay, i changed it. I misplaced the exclamation point !.

@rmarinn rmarinn linked a pull request Mar 3, 2025 that will close this issue
refactor(jans-cedarling)!: move TOKEN_CONFIGS into the token_metadata schema #10972
Open
6 tasks
@rmarinn rmarinn linked a pull request Mar 3, 2025 that will close this issue
Open
6 tasks
@moabu moabu added this to the next-release milestone Mar 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rmarinn rmarinn

Labels
comp-jans-cedarling Touching folder /jans-cedarling enhancement kind-enhancement Issue or PR is an enhancement to an existing functionality
Projects
None yet
Milestone
next-release
Development

Successfully merging a pull request may close this issue.

refactor(jans-cedarling)!: move TOKEN_CONFIGS into the token_metadata schema JanssenProject/jans
6 participants
@ossdhaval @nynymike @olehbozhok @rmarinn @moabu @mo-auto