feat(authN): Redesign JWT token auth #372

[michalkrzyz]

Redesign JWT token authentication middleware to support additional/alternative authentication method

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change.

What type of PR is this? (check all applicable)

• 🍕 Feature
• 🐛 Bug Fix
• 📝 Documentation Update
• 🎨 Style
• 🧑‍💻 Code Refactor
• 🔥 Performance Improvements
• ✅ Test
• 🤖 Build
• 🔁 CI
• 📦 Chore (Release)
• ⏩ Revert

Related Tickets & Documents

• Related Issue # (issue)
• Closes # (issue)
• Fixes # (issue)

Remove if not applicable

Added tests?

• 👍 yes
• 🙅 no, because they aren't needed
• 🙋 no, because I need help
• Separate ticket for tests # (issue/pr)

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Added to documentation?

• 📜 README.md
• 🤝 Documentation pages updated
• 🙅 no documentation needed
• (if applicable) generated OpenAPI docs for CRD changes

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[drochow]

Good Job!

LGTM --> i would just like to have some specific comments to the verify function that make clear that we left out certain enforcements/verifications intentionally

[drochow]

A Docstring would probably be good to say:

• Verifies token presence in header
• Validates token by parsing
• Checks token validity (signature)
• Verifies expiration time

Due to implementation constraints, we intentionally do:

• No validation of the token issuer (iss claim)
• No validation of the "not before" time (nbf claim)
• No audience validation (aud claim)
• No token signing algorithm verification before parsing

[michalkrzyz]

I am not a big fan of commenting the code ("good code documents itself" :) ). Would it be ok if I enclose each check in single responsibility functions like:
checkHeaderInRequest
verifyTokenStructure
checkTokenSignature
verifyTokenExpiration
etc.

[michalkrzyz]

@drochow please check the last commit. I have added some functions to make checks/gets more readable.

[dorneanu]

Maybe I'm missing the full picture, but why exactly do we need a chain of auth methods?

[michalkrzyz]

We want to have the same API access via JWT token (scanner) as well as for OIDC (user)

[dorneanu]

Hmmm.. Even if OIDC uses JWTs as part of its specification, we do need to treat both auth mechanisms differently. I mean, you also have different fields (inside the JWT token payload, see this example). Or how is this supposed to work? Maybe we need some call to clarify this.

[dorneanu]

In the description I cannot see the "related issues" nor the ones which the PR should close.