Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Update JWT login type to support JWKS, custom sub claim, and encode special chars in user ID #9493

Closed
wants to merge 14 commits into from
Closed

Update JWT login type to support JWKS, custom sub claim, and encode special chars in user ID #9493

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
7bd41fa
Add option to normalize user ID for JWT logins
boti7 Feb 24, 2021
4ab669d
Add option to customize the claim used for the local part of the user…
boti7 Feb 24, 2021
da2bfb1
Add option to retrieve RSA signing keys from a JWKS endpoint for JWT …
boti7 Feb 24, 2021
d8920fd
Add changelog entry
boti7 Feb 25, 2021
3d43b53
Update docs/jwt.md
boti7 Mar 9, 2021
a1ebec5
Merge remote-tracking branch 'upstream/develop' into feature/jwt-auth
boti7 Mar 9, 2021
22577bc
Merge branch 'feature/jwt-auth' into develop
e-001 Jun 17, 2021
a77ebc9
Rename jwt_config.py as done in 683d6f
e-001 Jun 17, 2021
6a52891
Merge pull request #1 from Enigma-Labs/feature/jwt-auth-develop
boti7 Jun 17, 2021
66f12d0
Check if either a secret or a jwks uri is provided in jwt_config
boti7 Jun 19, 2021
e706eb4
Default JWT subject claim field to "sub"
boti7 Jun 19, 2021
987431a
Increase minimum version of PyJWT library to 2.1.0
boti7 Jun 19, 2021
93acad2
Change spelling in sample config
boti7 Jun 29, 2021
c8c4a11
Update docs/sample_config.yaml
boti7 Jun 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9493.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Update JWT login type to support JSON Web Key Sets (JWKS), custom sub claim, and option to encode unsupported characters in user ID.
22 changes: 21 additions & 1 deletion docs/sample_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2158,10 +2158,30 @@ sso:
# This is either the private shared secret or the public key used to
# decode the contents of the JSON web token.
#
# Required if 'enabled' is true.
# Either 'secret' or 'jwks_uri' is required if 'enabled' is true.
#
#secret: "provided-by-your-issuer"

# URI where to fetch the JWKS containing the public keys that
# should be used to verify the signature of the JSON web token.
# Only used if 'secret' is not provided.
#
# Either 'secret' or 'jwks_uri' is required if 'enabled' is true.
#
#jwks_uri: "provided-by-your-issuer"

# Name of the claim containing a unique identifier for the user.
#
# Optional, defaults to `sub`.
#
#subject_claim: "sub"

# Perform normalization of the user ID and encode unsupported characters.
#
# Optional, defaults to false.
#
#normalize_user_id: true

# The algorithm used to sign the JSON web token.
#
# Supported algorithms are listed at
Expand Down
30 changes: 28 additions & 2 deletions synapse/config/jwt_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,14 @@ def read_config(self, config, **kwargs):
jwt_config = config.get("jwt_config", None)
if jwt_config:
self.jwt_enabled = jwt_config.get("enabled", False)
self.jwt_secret = jwt_config["secret"]
self.jwt_algorithm = jwt_config["algorithm"]

# The issuer and audiences are optional, if provided, it is asserted
# that the claims exist on the JWT.
self.jwt_secret = jwt_config.get("secret")
self.jwt_jwks_uri = jwt_config.get("jwks_uri")
boti7 marked this conversation as resolved.
Show resolved Hide resolved
self.jwt_subject_claim = jwt_config.get("subject_claim")
boti7 marked this conversation as resolved.
Show resolved Hide resolved
self.jwt_normalize_user_id = jwt_config.get("normalize_user_id", False)
boti7 marked this conversation as resolved.
Show resolved Hide resolved
self.jwt_issuer = jwt_config.get("issuer")
self.jwt_audiences = jwt_config.get("audiences")

Expand All @@ -46,6 +49,9 @@ def read_config(self, config, **kwargs):
else:
self.jwt_enabled = False
self.jwt_secret = None
self.jwt_jwks_uri = None
self.jwt_subject_claim = None
self.jwt_normalize_user_id = False
self.jwt_algorithm = None
self.jwt_issuer = None
self.jwt_audiences = None
Expand Down Expand Up @@ -76,10 +82,30 @@ def generate_config_section(self, **kwargs):
# This is either the private shared secret or the public key used to
# decode the contents of the JSON web token.
#
# Required if 'enabled' is true.
# Either 'secret' or 'jwks_uri' is required if 'enabled' is true.
#
#secret: "provided-by-your-issuer"

# URI where to fetch the JWKS containing the public keys that
# should be used to verify the signature of the JSON web token.
# Only used if 'secret' is not provided.
#
# Either 'secret' or 'jwks_uri' is required if 'enabled' is true.
#
#jwks_uri: "provided-by-your-issuer"

# Name of the claim containing a unique identifier for the user.
#
# Optional, defaults to `sub`.
#
#subject_claim: "sub"

# Perform normalization of the user ID and encode unsupported characters.
#
# Optional, defaults to false.
#
#normalize_user_id: true

# The algorithm used to sign the JSON web token.
#
# Supported algorithms are listed at
Expand Down
21 changes: 18 additions & 3 deletions synapse/rest/client/v1/login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
from synapse.http.site import SynapseRequest
from synapse.rest.client.v2_alpha._base import client_patterns
from synapse.rest.well_known import WellKnownBuilder
from synapse.types import JsonDict, UserID
from synapse.types import JsonDict, UserID, map_username_to_mxid_localpart

if TYPE_CHECKING:
from synapse.server import HomeServer
Expand All @@ -53,6 +53,9 @@ def __init__(self, hs: "HomeServer"):
# JWT configuration variables.
self.jwt_enabled = hs.config.jwt_enabled
self.jwt_secret = hs.config.jwt_secret
self.jwt_jwks_uri = hs.config.jwt_jwks_uri
self.jwt_subject_claim = hs.config.jwt_subject_claim
self.jwt_normalize_user_id = hs.config.jwt_normalize_user_id
self.jwt_algorithm = hs.config.jwt_algorithm
self.jwt_issuer = hs.config.jwt_issuer
self.jwt_audiences = hs.config.jwt_audiences
Expand Down Expand Up @@ -298,11 +301,19 @@ async def _do_jwt_login(self, login_submission: JsonDict) -> Dict[str, str]:
)

import jwt
from jwt import PyJWKClient

key = self.jwt_secret

if not key and self.jwt_jwks_uri:
jwks_client = PyJWKClient(self.jwt_jwks_uri)
signing_key = jwks_client.get_signing_key_from_jwt(token)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this make a synchronous HTTP call? If so we ideally would do this via a SimpleHttpClient or push this into the background.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, seems like it makes a synchronous HTTP call. It is also possible to implement the loading and parsing of JWKS without PyJWT, like in OidcHandler, then we have more control over the request and caching.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fetching this for every login seems quite inefficient. I wonder if we should do something on start-up (like OIDC). It looks like PyJWKClient is quite simple!

key = signing_key.key
boti7 marked this conversation as resolved.
Show resolved Hide resolved

try:
payload = jwt.decode(
token,
self.jwt_secret,
key,
algorithms=[self.jwt_algorithm],
issuer=self.jwt_issuer,
audience=self.jwt_audiences,
Expand All @@ -315,10 +326,14 @@ async def _do_jwt_login(self, login_submission: JsonDict) -> Dict[str, str]:
errcode=Codes.FORBIDDEN,
)

user = payload.get("sub", None)
subject_claim = self.jwt_subject_claim or "sub"
user = payload.get(subject_claim, None)
Comment on lines +350 to +351
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already did the fallback to sub in the config code, no need to do it again.

Suggested change
subject_claim = self.jwt_subject_claim or "sub"
user = payload.get(subject_claim, None)
user = payload.get(self.jwt_subject_claim, None)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is that tests don't use the config code but set hs.config directly, so without specifying a fallback here, many tests in JWTTestCase would fail. What do you suggest to solve this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config code should get run during tests, see:

synapse/tests/unittest.py

Lines 469 to 472 in fe604a0

# Parse the config from a config dict into a HomeServerConfig
config_obj = HomeServerConfig()
config_obj.parse_config_dict(config, "", "")
kwargs["config"] = config_obj

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Were you able to try this again? It should run fine during tests.

if user is None:
raise LoginError(403, "Invalid JWT", errcode=Codes.FORBIDDEN)

if self.jwt_normalize_user_id:
user = map_username_to_mxid_localpart(user)

user_id = UserID(user, self.hs.hostname).to_string()
result = await self._complete_login(
user_id, login_submission, create_non_existent_users=True
Expand Down
48 changes: 48 additions & 0 deletions tests/rest/client/v1/test_login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -982,6 +982,54 @@ def test_login_aud_no_config(self):
channel.json_body["error"], "JWT validation failed: Invalid audience"
)

def test_login_default_sub(self):
"""Test reading user ID from the default subject claim."""
channel = self.jwt_login({"sub": "kermit"})
self.assertEqual(channel.result["code"], b"200", channel.result)
self.assertEqual(channel.json_body["user_id"], "@kermit:test")

@override_config(
{
"jwt_config": {
"jwt_enabled": True,
"secret": jwt_secret,
"algorithm": jwt_algorithm,
"subject_claim": "username",
}
}
)
def test_login_custom_sub(self):
"""Test reading user ID from a custom subject claim."""
channel = self.jwt_login({"username": "frog"})
self.assertEqual(channel.result["code"], b"200", channel.result)
self.assertEqual(channel.json_body["user_id"], "@frog:test")

def test_login_no_normalize_id(self):
"""Test mapping user ID to Matrix ID without normalization"""
channel = self.jwt_login({"sub": "#kermit"})
self.assertEqual(channel.result["code"], b"400", channel.result)
self.assertEqual(channel.json_body["errcode"], "M_INVALID_USERNAME")
self.assertEqual(
channel.json_body["error"],
"User ID can only contain characters a-z, 0-9, or '=_-./'",
)

@override_config(
{
"jwt_config": {
"jwt_enabled": True,
"secret": jwt_secret,
"algorithm": jwt_algorithm,
"normalize_user_id": True,
}
}
)
def test_login_normalize_id(self):
"""Test mapping user ID to Matrix ID with normalization"""
channel = self.jwt_login({"sub": "#kermit"})
self.assertEqual(channel.result["code"], b"200", channel.result)
self.assertEqual(channel.json_body["user_id"], "@=23kermit:test")

def test_login_no_token(self):
params = {"type": "org.matrix.login.jwt"}
channel = self.make_request(b"POST", LOGIN_URL, params)
Expand Down