Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Server Security JWT Support #322

Open
wants to merge 12 commits into
base: 4.4.x
Choose a base branch
from

Conversation

brianwyka
Copy link
Contributor

@brianwyka brianwyka commented Feb 22, 2021

Main Changes

  • Introduce new grpc-server-security-jwt module
  • Add latest Micronaut Security version
  • Supports role based security, however does not support @Secured annotation at this point

I've added a serverSecurity.adoc to document its usage.

Other Changes

  • Update to latest Micronaut version
  • Parameterize Micronaut Discovery Client version

Closes #164

api "com.nimbusds:nimbus-jose-jwt:9.4.2"

implementation("io.micronaut.security:micronaut-security-jwt:$micronautSecurityVersion") {
exclude group: 'io.micronaut', module: 'micronaut-http'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Decided to exclude the http dependencies since they are not used and might not be necessary on the classpath of consumers.

if (!jwtOptional.isPresent()) {
final String message = "JWT validation failed";
LOG.error(message);
throw Status.PERMISSION_DENIED.withDescription(message).asRuntimeException();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open to also return Status.UNAUTHENTICATED here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made this configurable, but we can still discuss the default.

LOG.error(message);
throw Status.PERMISSION_DENIED.withDescription(message).asRuntimeException();
}
return new ForwardingServerCallListener.SimpleForwardingServerCallListener<T>(listener) { };
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add any additional metadata to denote that the user is authenticated?

gradle.properties Outdated Show resolved Hide resolved
gradle.properties Outdated Show resolved Hide resolved
@brianwyka
Copy link
Contributor Author

Any feedback on this @jameskleeh @ilopmar @graemerocher ?

*/
@Override
public <T, S> ServerCall.Listener<T> interceptCall(final ServerCall<T, S> call, final Metadata metadata, final ServerCallHandler<T, S> next) {
final List<String> requiredAccesses = getRequiredAccesses(config, call);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this not also using the SecurityRule API?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecurityRule implies knowledge of HttpRequest and RouteMatch:
https://github.com/micronaut-projects/micronaut-security/blob/master/security/src/main/java/io/micronaut/security/rules/SecurityRule.java#L57

I don't have either of those in this context.

I was attempting to use the @Secured annotation, but failed since I didn't have RouteMatch accessible...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SecurityRule API is also using ANT style patch matching, which wouldn't sync up with the GRPC method names. I'm using regex in this case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brianwyka OK makes sense. In that case I think a new API to support the same use cases should be created. It should in general work the same as the existing logic

Copy link
Contributor Author

@brianwyka brianwyka Mar 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, I'll take a look into that. @jameskleeh should that new API live in this repository or in micronaut-security?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is what I was thinking, @jameskleeh maybe there should be some MethodSecurityRule interface

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any way to get access to the potential @Secured annotation on the method as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I can model after the SecurityFilter approach. Create one high-level GrpcServerSecurityInterceptor and have all the method rules collected there and interrogated. Sound reasonable?

Copy link
Contributor Author

@brianwyka brianwyka Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@graemerocher , @jameskleeh, I'm realizing there will be a fair amount of duplication due to coupling with HttpRequest unless there is some level of abstraction in micronaut-security, which would require breaking changes and a 3.0 release of that module.

Here is what I am thinking (demonstration of subset of changes):
https://github.com/micronaut-projects/micronaut-security/compare/master...brianwyka:security-abstraction?expand=1

Obviously, this does not encompass all changes, but just parameterizing some of the main interfaces and abstract classes can add a ton of reusability to this module. It may be even useful to have micronaut-security and micronaut-security-http separation...

Let me know if you would like me to move forward with a lot of duplication here or begin working on some abstractions and breaking changes in the security module.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I started to do some of the duplication in this repository... Here is the start of it: 7c676d0. I bypassed creating the generic token stuff and focused on just JWT for now. Thoughts?

@StephanePaulus
Copy link

@brianwyka Any updates on this?

@brianwyka
Copy link
Contributor Author

@StephanePaulus, waiting for feedback on design direction from Micronaut team. After that, happy to move forward with changes.

@jameskleeh, @graemerocher let me know if you have any recommendations based on my latest comments in this thread...

@jameskleeh
Copy link
Contributor

@brianwyka I haven't forgot about this. I'll try to make it a priority next week

@brianwyka
Copy link
Contributor Author

Thanks @jameskleeh. Let me know what you need from me. Happy to do the implementation as much as possible.

@donbeave
Copy link

donbeave commented Nov 3, 2022

@graemerocher @sdelamo @brianwyka This looks very useful feature, I have an interest in it for one of my projects. I think it can be nice to have it in the next major release. If needs any help with this PR, I can help to finish all work here.

@graemerocher
Copy link
Contributor

@donbeave this would be a great contribution, from my understanding it requires changes on the Micronaut Security side. /cc @sdelamo

@sdelamo
Copy link
Contributor

sdelamo commented Nov 3, 2022

@donbeave this would be a great contribution, from my understanding it requires changes on the Micronaut Security side. /cc @sdelamo

We plan to decouple micronaut security from HttpRequest as much as possible in the next mayor version of Micronaut Security.

@donbeave
Copy link

donbeave commented Nov 3, 2022

@donbeave this would be a great contribution, from my understanding it requires changes on the Micronaut Security side. /cc @sdelamo

We plan to decouple micronaut security from HttpRequest as much as possible in the next mayor version of Micronaut Security.

@sdelamo maybe it's better for me to help you with decoupling first, as I'm using micronaut-security in GraphQL API, and it's not enough flexible, because it was designed around REST use cases. So if you need any help there, please let me know how you see that refactoring.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@sdelamo
Copy link
Contributor

sdelamo commented Feb 13, 2024

@donbeave this would be a great contribution, from my understanding it requires changes on the Micronaut Security side. /cc @sdelamo

We plan to decouple micronaut security from HttpRequest as much as possible in the next mayor version of Micronaut Security.

@sdelamo maybe it's better for me to help you with decoupling first, as I'm using micronaut-security in GraphQL API, and it's not enough flexible, because it was designed around REST use cases. So if you need any help there, please let me know how you see that refactoring.

@donbeave
Any help is welcome. We decoupled Micronaut Security almost completely from HTTP request. It is just the oauth2 module which is pending.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request: Server Side JWT Security Support
9 participants