feat: modify auth token url based on instance param #260
Conversation
Snyk's OAuth implementation is capable of indicating the environment
which the user is authenticated into and authorized to access.
This is specified in the audience JWT claim ("aud"). Snyk's
implementation of this claim contains an array of strings, per RFC 7519.
If set and non-empty, the first audience URL is taken as the default API
URL that the client should use, unless the endpoint was specifically
configured.
It's a test JWT created on jwt.io for testing the parsing of claims and cannot be used as a valid authorization anywhere.
cmars
force-pushed
the
feat/redirect-with-instance-param
branch
3 times, most recently
from
6788c04
to
26d7b95
Compare
If an instance parameter is provided in the redirect, use it to modify the URL from where the oauth token is obtained. The instance provided is the Snyk region domain, minus the api. host prefix.
cmars
force-pushed
the
feat/redirect-with-instance-param
branch
from
26d7b95
to
345bc9e
Compare
| return fmt.Sprintf("api.%s", instance) | ||
| } | ||
|
|
||
| var redirectAuthHostRE = regexp.MustCompile(`^api\.(.+)\.snyk\.io$`) |
| return "", err | ||
| } | ||
| if len(c.Aud) > 0 { | ||
| return c.Aud[0], nil |
There was a problem hiding this comment.
could we by any change have multiple entries in the aud claim ?
There was a problem hiding this comment.
From the spec:
In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value. In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value. The
interpretation of audience values is generally application specific.
Use of this claim is OPTIONAL.
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
It is almost expected for there to be multiple values available. We should likely search the list and extract the first one which meets our criteria.
There was a problem hiding this comment.
Guidance from the IdP team is to use the first value. I can provide more context offline.
If an instance parameter is provided in the redirect, use it to modify
the URL from where the oauth token is obtained.
The instance provided is the Snyk region domain, minus the api. host
prefix.
Stacked on #258