Skip to content

[18.0][IMP] auth_jwt: allow more authorization options over aud #753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dnplkndll wants to merge 1 commit into
base: 18.0
Choose a base branch
from
Open

[18.0][IMP] auth_jwt: allow more authorization options over aud #753

dnplkndll wants to merge 1 commit into from

Conversation

@dnplkndll
Copy link
Contributor

@dnplkndll dnplkndll commented Jan 17, 2025
edited
Loading

@kobros-tech can you add some tests?

probably want to require one of the possible types too. so maybe a type selection [aud,scope,group] then the aud_text to use to parse the match value?

need to rebase after: #752 merges

image or image

@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch 5 times, most recently from 538beb2 to 5da46e0 Compare January 18, 2025 01:46
@dnplkndll
Copy link
Contributor Author

dnplkndll commented Jan 18, 2025

@sbidoul working aws cognito as a token provider, there are no aud. but we do have scopes and user groups. would it be useful to replace the aud with these new tests to validate a server to server account has proper scope or a user has a group? the tests are pretty sloppy ( any intersection of the sets) can refine if useful. another option might be a simple disable but really do need the scope test in our case.
The next issue is we would have tokens that have sub and map user/partner via oath provider data? I guess that can be done in partner_id_strategy extension.

server-auth/auth_oidc/models/res_users.py

Line 72 in 035093d

validation["user_id"] = validation["sub"]

@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch from 7342133 to 5da46e0 Compare January 18, 2025 13:04
@sbidoul
Copy link
Member

sbidoul commented Jan 18, 2025

I'm ok to make audience optional. May I suggest doing that in an independent PR to facilitate review?

Then adding validation on additional claim sounds ok too. I would not override the meaning of the audience field, though. How about an expected_claim field containing a literal dictionary (to be parsed with ast.literal_eval) or a json field.

@dnplkndll dnplkndll force-pushed the 18.0-imp-auth_jwt-drop-aud branch from fabb83e to f5e43c3 Compare January 18, 2025 14:49
@dnplkndll
Copy link
Contributor Author

dnplkndll commented Jan 18, 2025

optional aud only
#755

@github-actions
Copy link

github-actions bot commented May 25, 2025

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

@github-actions github-actions bot added the stale PR/Issue without recent activity, it'll be soon closed automatically. label May 25, 2025
@sbidoul sbidoul removed the stale PR/Issue without recent activity, it'll be soon closed automatically. label May 25, 2025
@kobros-tech kobros-tech force-pushed the 18.0-imp-auth_jwt-drop-aud branch 2 times, most recently from cbb55d1 to 8853d13 Compare August 31, 2025 15:37
@kobros-tech kobros-tech force-pushed the 18.0-imp-auth_jwt-drop-aud branch from 1ff8db7 to 0827f1f Compare August 31, 2025 18:12
@kobros-tech
Copy link
Contributor

kobros-tech commented Aug 31, 2025

@sbidoul

We have added test cases here and there is another PR for the optional aud, do you need any thing else?

@lmignon
I like you to review if there is any observation, welcome to your opinion.

lmignon
lmignon reviewed Sep 1, 2025
View reviewed changes
auth_jwt/__manifest__.py
"summary": """
JWT bearer token authentication.""",
"version": "18.0.1.0.0",
"version": "18.0.1.1.0",
Copy link
Contributor

@lmignon lmignon Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version should not be modified. It will be automatically bumped at merge.

lmignon
lmignon requested changes Sep 1, 2025
View reviewed changes
Copy link
Contributor

@lmignon lmignon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the proposal @dnplkndll
Can you improve the documentation to explain your new options. I personally find it difficult to understand the proposed changes and the problem they are trying to solve. I am therefore unable to give an informed opinion on what is being proposed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lmignon lmignon lmignon requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dnplkndll @sbidoul @kobros-tech @lmignon