Skip to content

feat: validate 'jti' claims in AccessTokenVerifier #481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
paullatzelsperger merged 4 commits into from
Oct 22, 2024
Merged

feat: validate 'jti' claims in AccessTokenVerifier #481

paullatzelsperger merged 4 commits into from
Oct 22, 2024

Conversation

@paullatzelsperger
Copy link
Member

@paullatzelsperger paullatzelsperger commented Oct 21, 2024
edited
Loading

What this PR changes/adds

add validation for the JWT Token IDs (jti claim) when verifying Access tokens.

to do that, the JtiValidationRule has been registered for the "dcp-access-token" validation context.

Note that by default this check is deactivated to avoid unexpected breakages in existing applications.

set edc.iam.accesstoken.jti.validation=true to enable it.

Why it does that

protection against replay attacks

Linked Issue(s)

Closes eclipse-edc/Connector#3749

DEPENDS ON eclipse-edc/Connector#4560

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added enhancement New feature or request dcp labels Oct 21, 2024
@paullatzelsperger paullatzelsperger marked this pull request as draft October 21, 2024 13:41
@paullatzelsperger paullatzelsperger marked this pull request as ready for review October 21, 2024 14:14
@paullatzelsperger paullatzelsperger force-pushed the feat/use_jti_validation_service branch from 64b4acf to 3c6f187 Compare October 21, 2024 15:04
ndr-brt
ndr-brt approved these changes Oct 22, 2024
View reviewed changes
core/identity-hub-core/src/main/java/org/eclipse/edc/identityhub/DefaultServicesExtension.java
var scopeIsPresentRule = new ClaimIsPresentRule(ACCESS_TOKEN_SCOPE_CLAIM);
registry.addRule(DCP_ACCESS_TOKEN_CONTEXT, scopeIsPresentRule);

if (context.getSetting(ACCESSTOKEN_JTI_VALIDATION_ACTIVATE, false)) {
Copy link
Member

@ndr-brt ndr-brt Oct 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

false could be extracted as a constant and used also in the @Setting annotation

@paullatzelsperger paullatzelsperger merged commit ecc3518 into eclipse-edc:main Oct 22, 2024
@paullatzelsperger paullatzelsperger deleted the feat/use_jti_validation_service branch October 22, 2024 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndr-brt ndr-brt ndr-brt approved these changes

@wolf4ood wolf4ood Awaiting requested review from wolf4ood

Assignees

No one assigned

Labels

dcp enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement infrastructure to verify jti claims

2 participants

@paullatzelsperger @ndr-brt