Add JWT and OIDC to Sentry #8662
Open
+6,670
−614
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 tasks
|
Proven this works with Azure below |
2ab0760 to
0f05837
Compare
7 tasks
|
@jjcollinge you can now rebase with the kit changes going into master 🙂 |
2018d32 to
d3e56a4
Compare
JoshVanL
requested changes
May 26, 2025
charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml
Outdated
Show resolved
Hide resolved
charts/dapr/charts/dapr_sentry/templates/dapr_sentry_service.yaml
Outdated
Show resolved
Hide resolved
Comment on lines
53
to
67
| jwtKey, err := rsa.GenerateKey(rand.Reader, 2048) | ||
| require.NoError(t, err) | ||
|
|
||
| onemonth := time.Hour * 24 * 30 | ||
| bundle, err := ca.GenerateBundle(rootKey, "integration.test.dapr.io", time.Second*5, &onemonth) | ||
| bundle, err := ca.GenerateBundle(rootKey, jwtKey, "integration.test.dapr.io", time.Second*5, &onemonth, ca.CredentialGenOptions{ | ||
| RequireX509: true, | ||
| RequireJWT: true, | ||
| }) |
There was a problem hiding this comment.
Are there any metrics relating to JWT signing we should be testing?
|
Thanks for the review, still working through feedback and some improvements - will leave a comment when ready for a 2nd pass. |
a9ccfe3 to
037a4ad
Compare
037a4ad to
5cde5f1
Compare
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Sig 67E6 ned-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
5cde5f1 to
c5d4ad4
Compare
Signed-off-by: Jonathan Collinge <jonathancollinge@live.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why?
Adds support for OIDC and JWTs in Dapr sentry so that the Dapr runtime can use OIDC to authenticate to component providers using JWTs. This allows resource providers to use identity federation (via OIDC) to authenticate the Dapr SPIFFE ID and thus allow access to their resources. This is supported in AWS, Azure and GCP along with other providers.
Description
This PR allows a user to configure Dapr sentry to issue workload identities as JWTs as well as x.509 certificates. It also extends Dapr sentry to host a partial OIDC compliant HTTP server that can be exposed to 3rd parties to fetch the JWKS and validate the JWTs. Both of these new behaviours are disabled by default and must be opted in to via configuration.
Once Dapr sentry is configured to issue JWTs, it becomes an additional field in the existing signing respon 8000 se from Sentry. No new APIs are added to Dapr sentry to issue JWTs. The JWT credential has the same lifecycle as the x.509 certificate and will be rotated via the same mechanism.
The default JWT signing key is a RSA 2048-bit private key using the PS256 algorithm as these are widely supported by OIDC providers unlike ECDSA and is preferred over basic RS256. The JWT keys are included in the existing
dapr-trust-bundlesecret and the JWKS is also distributed via thedapr-trust-bundleconfig map.The OIDC server hosts the following endpoints
/.well-known/openid-configuration/jwks.jsonThe OIDC server is an unauthenticated HTTP server that must be exposed by the user to their OIDC providers to allow federation. It is the user's responsibility to ensure this server is exposed securely and it not something handled by Dapr.
Both the OIDC and JWT mechanism are customisable to allow users to setup their JWT infrastructure correctly. Responsibility for configuring Dapr sentry correctly for each use case is on the user as different integrations have different limitations e.g. which keys are supported etc. Currently Dapr sentry only supports 1 signing key and 1 signing algorithm at a time. The JWKS can include multiple signing algorithms to allow migrations. A single RSA or EC signing key can support multiple algorithms, so it is up to the user to configure Dapr to use the correct one when they provide their own signing key. No
issis set on the JWT if not issuer value has been provided by the user - this is not a required config on the JWT as it is not a requirement to use OIDC but is likely set when using any OIDC deployment.New Flags
Dependencies
Kit
Changes to kit to support SPIFFE JWT
dapr/kit#118
Components contrib
Changes to components-contrib to use the JWT SVID provider in Azure components as a mechanism to authenticate via a Microsoft Federated Identity Credential
dapr/components-contrib#3797
Docs
Update for Azure authentication mechanism
dapr/docs#4650
Tests
Manual
I have manually used this build to write/read from a Dapr application to an Azure blob storage bucket by federating to Dapr sentry running in a local kind cluster. I have done this with provided keys and the default "generated" keys. This approach is documented in my docs PR.
Auto
I've added various unit tests around the JWT machinery. I've also extended the existing integration tests to validate the full flow of issuing a JWT and verifying against the OIDC endpoint.
OIDC
Issue reference
Please reference the issue this PR will close: #[issue number]
Checklist
Please make sure you've completed the relevant tasks for this PR, out of the following list: