diff --git a/README.md b/README.md index 59735c94..dc9a8ebc 100644 --- a/README.md +++ b/README.md @@ -199,7 +199,7 @@ Under the hood, Authorino is based on Kubernetes [Custom Resource Definitions](h Ready - JSON Web Keys (JWKs) and JSON Web Ket Sets (JWKS) + JSON Web Keys (JWKs) and JSON Web Key Sets (JWKS) Ready @@ -279,7 +279,7 @@ For a detailed description of the features above, refer to the [Features](./docs Authorino does not store users, roles, role bindings, access control lists, or any raw authorization data. Authorino handles policies, where even these policies can be stored elsewhere (as opposed to stated inline inside of an Authorino `AuthConfig` CR). - Authorino evaluates policies for stateless authorization requests. Any additional context is either resolved from the provided payload or static definitions inside the policies. That includes extrating user information from a JWT or client TLS certificate, requesting user metadata from opaque authentication tokens (e.g. API keys) to the trusted sources actually storing that content, obtaining synchronous HTTP metadata from services, etc. + Authorino evaluates policies for stateless authorization requests. Any additional context is either resolved from the provided payload or static definitions inside the policies. That includes extracting user information from a JWT or client TLS certificate, requesting user metadata from opaque authentication tokens (e.g. API keys) to the trusted sources actually storing that content, obtaining synchronous HTTP metadata from services, etc. In the case of authentication with API keys, as well as its derivative to model HTTP Basic Auth, user data are stored in Kubernetes `Secret`s. The secret's keys, annotations and labels are usually the structures used to organize the data that later a policy evaluated in Authorino may require. Strictly, those are not Authorino data structures. diff --git a/api/v1beta1/auth_config_types.go b/api/v1beta1/auth_config_types.go index c18de2e2..1e975ebf 100644 --- a/api/v1beta1/auth_config_types.go +++ b/api/v1beta1/auth_config_types.go @@ -419,7 +419,7 @@ type OAuth2ClientAuthentication struct { TokenUrl string `json:"tokenUrl"` // OAuth2 Client ID. ClientId string `json:"clientId"` - // Reference to a Kuberentes Secret key that stores that OAuth2 Client Secret. + // Reference to a Kubernetes Secret key that stores that OAuth2 Client Secret. ClientSecret SecretKeyReference `json:"clientSecretRef"` // Optional scopes for the client credentials grant, if supported by he OAuth2 server. Scopes []string `json:"scopes,omitempty"` diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 02c177f6..41610aa8 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -87,7 +87,7 @@ func (r *AuthConfigReconciler) Reconcile(ctx context.Context, req ctrl.Request) // could not get the resource but not because of a 404 Not found (some error must have happened) return ctrl.Result{}, err } else if errors.IsNotFound(err) || !Watched(&authConfig.ObjectMeta, r.LabelSelector) { - // could not find the resouce: 404 Not found (resouce must have been deleted) + // could not find the resource: 404 Not found (resource must have been deleted) // or the resource misses required labels (i.e. not to be watched by this controller) // clean all async workers of the config, i.e. shuts down channels and goroutines diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go index f107e95e..7cf3c77b 100644 --- a/controllers/auth_config_controller_test.go +++ b/controllers/auth_config_controller_test.go @@ -188,8 +188,8 @@ func TestAuthConfigNotFound(t *testing.T) { client := newTestK8sClient(&authConfig, &secret) reconciler := newTestAuthConfigReconciler(client, index.NewIndex()) - // Let's try to reconcile a non existing object. - result, err := reconciler.Reconcile(context.Background(), reconcile.Request{NamespacedName: types.NamespacedName{Name: "nonExistant", Namespace: authConfig.Namespace}}) + // Let's try to reconcile a non-existing object. + result, err := reconciler.Reconcile(context.Background(), reconcile.Request{NamespacedName: types.NamespacedName{Name: "nonExistent", Namespace: authConfig.Namespace}}) assert.NilError(t, err) assert.DeepEqual(t, result, ctrl.Result{}) // Result should be empty diff --git a/controllers/auth_config_status_updater.go b/controllers/auth_config_status_updater.go index c5814816..8fc68d84 100644 --- a/controllers/auth_config_status_updater.go +++ b/controllers/auth_config_status_updater.go @@ -39,7 +39,7 @@ func (u *AuthConfigStatusUpdater) Reconcile(ctx context.Context, req ctrl.Reques // could not get the resource but not because of a 404 Not found (some error must have happened) return ctrl.Result{}, err } else if errors.IsNotFound(err) || !Watched(&authConfig.ObjectMeta, u.LabelSelector) { - // could not find the resouce: 404 Not found (resouce must have been deleted) + // could not find the resource: 404 Not found (resource must have been deleted) // or the resource misses required labels (i.e. not to be watched by this controller) // skip status update return ctrl.Result{}, nil diff --git a/docs/architecture.md b/docs/architecture.md index a27d2e2e..4908f3c1 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -14,7 +14,7 @@ - [Raw HTTP Authorization interface](#raw-http-authorization-interface) - [Caching](#caching) - [OpenID Connect and User-Managed Access configs](#openid-connect-and-user-managed-access-configs) - - [JSON Web Keys (JWKs) and JSON Web Ket Sets (JWKS)](#json-web-keys-jwks-and-json-web-ket-sets-jwks) + - [JSON Web Keys (JWKs) and JSON Web Key Sets (JWKS)](#json-web-keys-jwks-and-json-web-key-sets-jwks) - [Revoked access tokens](#revoked-access-tokens) - [External metadata](#external-metadata) - [Compiled Rego policies](#compiled-rego-policies) @@ -304,7 +304,7 @@ OpenID Connect and User-Managed Access configurations, discovered usually at rec Cached individual OpenID Connect configurations discovered by Authorino can be configured to be auto-refreshed, by setting the corresponding `spec.identity.oidc.ttl` field in the AuthConfig (given in seconds, default: `0` – i.e. no cache update). -### JSON Web Keys (JWKs) and JSON Web Ket Sets (JWKS) +### JSON Web Keys (JWKs) and JSON Web Key Sets (JWKS) JSON signature verification certificates linked by discovered OpenID Connect configurations, fetched usually at reconciliation-time. diff --git a/docs/features.md b/docs/features.md index 0dea8075..482fb567 100644 --- a/docs/features.md +++ b/docs/features.md @@ -222,7 +222,7 @@ The `kid` claim stated in the JWT header must match one of the keys cached by Au The decoded payload of the validated JWT is appended to the authorization JSON as the resolved identity. -OpenID Connect configurations and linked JSON Web Ket Sets can be configured to be automatically refreshed (pull again from the OpenID Connect Discovery well-known endpoints), by setting the `identity.oidc.ttl` field (given in seconds, default: `0` – i.e. auto-refresh disabled). +OpenID Connect configurations and linked JSON Web Key Sets can be configured to be automatically refreshed (pull again from the OpenID Connect Discovery well-known endpoints), by setting the `identity.oidc.ttl` field (given in seconds, default: `0` – i.e. auto-refresh disabled). For an excellent summary of the underlying concepts and standards that relate OpenID Connect and JSON Object Signing and Encryption (JOSE), see this [article](https://access.redhat.com/blogs/766093/posts/1976593) by Jan Rusnacko. For official specification and RFCs, see [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html), [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html), [JSON Web Token (JWT) (RFC7519)](https://datatracker.ietf.org/doc/html/rfc7519), and [JSON Object Signing and Encryption (JOSE)](http://www.iana.org/assignments/jose/jose.xhtml). diff --git a/docs/user-guides/kubernetes-tokenreview.md b/docs/user-guides/kubernetes-tokenreview.md index 05935ce2..1712d382 100644 --- a/docs/user-guides/kubernetes-tokenreview.md +++ b/docs/user-guides/kubernetes-tokenreview.md @@ -24,7 +24,7 @@ Validate Kubernetes Service Account tokens to authenticate requests to your prot ## Requirements - Kubernetes server -- Kubernetes user with permission to create `TokenRequest`s (to consume the API from ouside the cluster) +- Kubernetes user with permission to create `TokenRequest`s (to consume the API from outside the cluster) - [yq](https://github.com/mikefarah/yq) (to parse your `~/.kube/config` file to extract user authentication data) Create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io): diff --git a/docs/user-guides/validating-webhook.md b/docs/user-guides/validating-webhook.md index c89e9e73..983283ed 100644 --- a/docs/user-guides/validating-webhook.md +++ b/docs/user-guides/validating-webhook.md @@ -295,7 +295,7 @@ EOF # for: "STDIN": admission webhook "check-authconfig.authorino.kuadrant.io" denied the request: Unauthorized ``` -Kuberentes TokenReview: +Kubernetes TokenReview: ```sh kubectl -n myapp apply -f -<