Skip to content

feat(clients): implement JWT bearer auth #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
matt-codecov wants to merge 4 commits into from
Closed

feat(clients): implement JWT bearer auth #228

matt-codecov wants to merge 4 commits into from

Conversation

@matt-codecov
Copy link
Contributor

@matt-codecov matt-codecov commented Dec 3, 2025
edited by jan-auer
Loading

client implementations don't care about token content so these PRs are simple plumbing

i would still like to enable authz enforcement in our client e2e tests but this PR currently does not include that

Ref FS-202

@matt-codecov matt-codecov requested a review from a team as a code owner December 3, 2025 05:25
@matt-codecov matt-codecov force-pushed the matt/client-auth-impl branch from a962e6c to 7d0088d Compare December 4, 2025 01:31
@matt-codecov matt-codecov force-pushed the matt/client-auth-impl branch from 7d0088d to c6fefdd Compare December 4, 2025 01:35
Base automatically changed from branchless/pr199 to main December 4, 2025 16:00
@matt-codecov matt-codecov changed the base branch from main to matt/fix-authz-key-format December 5, 2025 03:21
@matt-codecov matt-codecov force-pushed the matt/client-auth-impl branch from c6fefdd to 440353c Compare December 5, 2025 03:21
Base automatically changed from matt/fix-authz-key-format to main December 5, 2025 10:44
lcian
lcian approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@lcian lcian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, when we roll out the auth we should document that this is always required in saas, we can do so in a follow-up

@jan-auer
Merge branch 'main' into matt/client-auth-impl
5b7749d 
* main:
  fix(auth): Require EdDSA and fix verification (#232)
  release: 0.0.14
  feat(server): Implement the new Web API (#230)
jan-auer
jan-auer requested changes Dec 5, 2025
View reviewed changes
clients/python/src/objectstore_client/client.py
base_url: str,
metrics_backend: MetricsBackend | None = None,
propagate_traces: bool = False,
auth_token: str | None = None,
Copy link
Member

@jan-auer jan-auer Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This requires the user to know too much about our auth mechanism and do too much manually. The follow-up PR shows this very well: https://github.com/getsentry/objectstore/pull/231/files#diff-2901f12558868d8df8503eb8c709ebe697eaf471057eabeadede4c292f869fbeR29-R59

Compare with the implementation we had initially for this, which just required to configure a secret, and the client did all the rest.

We should change it like so:

  • The client is configured with options it needs to create tokens itself
    • (mandatory) The private key. If missing, no tokens will be issued.
    • (optional) A set of permissions. Builder defaults this to all permissions.
    • (optional) An expiry duration (not timestamp!). Defaults to something reasonably short, like 60s.
  • The session is responsible to create the token
    • References above options from the client or gets them injected
    • Together with the session's usecase and scopes it builds the token
    • Applies it to all outgoing requests on the session.
  • Caching:
    • The token can be reused until it is close to expiry, session then regenerates it on-the-fly
    • In practice, this means the session initializes w/o a token and the first request creates it

Copy link
Contributor Author

@matt-codecov matt-codecov Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i still disagree for all the reasons i've argued previously, but i will take your direction

@linear
Copy link

linear bot commented Dec 9, 2025

FS-202 Implement (optional) JWT in Clients

@matt-codecov
Copy link
Contributor Author

matt-codecov commented Dec 15, 2025

replacing with:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-auer jan-auer jan-auer requested changes

@lcian lcian lcian approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matt-codecov @jan-auer @lcian