0001-MXS-4277-Make-iss-claim-configurable.patch
[MXS-4277] iss field in JWT tokens is always "maxscale" Created: 2022-09-07 Updated: 2023-04-13 Resolved: 2023-04-13 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | REST-API |
| Affects Version/s: | 2.5.21, 6.4.2, 22.08.0 |
| Fix Version/s: | 23.08.0 |
| Type: | New Feature | Priority: | Minor |
| Reporter: | markus makela | Assignee: | markus makela |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Attachments: |
0001-MXS-4277-Make-iss-claim-configurable.patch
|
| Sprint: | MXS-SPRINT-180 |
| Description |
|
The issuer field (iss) is always maxscale for all tokens. This makes it hard to figure out who actually created the token. A better alternative would be to construct it from the machine's hostname (or from admin_host) as well as the admin_port parameters to form a URL that points to the issuer. The proposed approach with the defaults admin_host=127.0.0.1 and admin_port=8989 would result in the following issuer field:
The only problem with this approach is that it prevents the tokens from being shared across multiple MaxScale instances which would otherwise be possible in 22.08 with a pre-shared symmetric key. For this reason, it might need to be made into a user-configurable string, especially if the value of admin_host isn't the externally visible hostname of the machine. |
| Comments |
| Comment by markus makela [ 2022-09-08 ] |
|
Attached a patch that would make the field configurable by the users. Also converted this into a New Feature as it isn't exactly a bug. |
| Comment by markus makela [ 2023-04-13 ] |
|
The issuer of the tokens can be set with admin_jwt_issuer. |