Stage 6 - JWKS input validation

cyberark · Dec 22, 2021 · 5cfcd06 · 5cfcd06
1 parent 75aa289
commit 5cfcd06
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 4 deletions.
diff --git a/design/authenticators/authn_jwt/authn-jwt-fetch-more-keys.md b/design/authenticators/authn_jwt/authn-jwt-fetch-more-keys.md
@@ -519,10 +519,36 @@ requirements.
    | Signing key configuration is invalid: `public-keys` `value` field is missing or empty      | When value field absent or has empty value  |
    </div></details>
 
+1. Strict JWKS structure input validation
+   <details><div>
+
+   Getting JWKS input from end user rather directly from JWKS/OIDC provider requires
+   stricter input validation.
+
+   Create new `VerifyJWKS` CommandClass class is responsible for JWKS structure validation.
+   Method `call` will get a JWKS structure and will throw an exception if it's invalid.
+   The `call` method will return a valid JWKS structure.
+
+   For validation purpose itself we can take one of the next 3rd parties:
+
+   - [json_schema](https://github.com/brandur/json_schema)
+   - [json-schema](https://github.com/voxpupuli/json-schema)
+   - [json_schemer](https://github.com/davishmcclurg/json_schemer)
+   - any other appropriate 3rd party
+
+   See [JSON Schema](https://json-schema.org) for more information.
+
+   Choosing the best 3rd party is a part of implementation effort.
+
+   Validation rules should be aligned with JWKS [RFC 7517](https://www.ietf.org/rfc/rfc7517.txt)
+
+   ![image](fetch-more-keys-stage-6.png)
+   </div></details>
+
 ## Performance
 
-Two additional variables checking, fetching and parsing is added to the flow. The risk of
-performance impact it very low.
+Two additional variables checking, fetching and parsing is added to the flow.
+The risk of performance impact it very low.
 
 ## Backwards Compatibility
 
@@ -540,11 +566,12 @@ Stages:
 * S3 - `ca-cert` integration
 * S4 - Refactor signing key cache level
 * S5 - Static keys fetcher class
+* S6 - JWKS validation
 
 Proposed flow:
 
 ```
-S1 --> S4 --> S5
+S1 --> S4 --> S5 --> S6 
    --> S2 --> S3
 ```
 
@@ -557,8 +584,9 @@ S1 --> S4 --> S5
 | S3        | 3 SP (without integration tests) |
 | S4        | 2 SP (considering spike code [cyberark/conjur#2447](https://github.com/cyberark/conjur/pull/2447)) |
 | S5        | 2 SP (without integration tests) |
+| S6        | 3 SP (without integration tests) |
 | Integration tests | 10 SP - t-shirt estimation |
-| **Total** | **22 SP** |
+| **Total** | **25 SP** |
 
 ## Test Plan
 

diff --git a/design/authenticators/authn_jwt/fetch-more-keys-stage-6.png b/design/authenticators/authn_jwt/fetch-more-keys-stage-6.png