generated from redhat-developer/new-project-template
-
Notifications
You must be signed in to change notification settings - Fork 55
RHIDP-7912: omitIdentityTokenOwnershipClaim flag #1487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 7 commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
59b07e5
RHIDP-7912
deerskindoll a3715df
RHIDP-7912
deerskindoll 1c2425a
RHIDP-7912
deerskindoll dd9f8ec
RHIDP-7912
deerskindoll 3e169e0
RHIDP-7912
deerskindoll 5a5c7aa
RHIDP-7912
deerskindoll 3c12fbf
RHIDP-7912
deerskindoll 2e10c8f
Merge branch 'main' into RHIDP-7912
deerskindoll 3089886
Update modules/authentication/proc-reducing-token-size.adoc
deerskindoll 92405e9
Update modules/authentication/proc-reducing-token-size.adoc
deerskindoll ba2dfcc
Update modules/authentication/proc-reducing-token-size.adoc
deerskindoll b2a7d63
Update modules/authentication/proc-reducing-token-size.adoc
deerskindoll 618656c
Update proc-reducing-token-size.adoc
deerskindoll 86d8d20
Update modules/authentication/proc-reducing-token-size.adoc
deerskindoll d04b6ea
Update modules/authentication/proc-reducing-token-size.adoc
deerskindoll 776db29
removed annotations
deerskindoll File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| :_mod-docs-content-type: ASSEMBLY | ||
|
|
||
| [id="authentication-troubleshooting"] | ||
|
|
||
| = Troubleshooting authentication issues | ||
|
|
||
| Learn how to troubleshoot authentication issues. | ||
|
|
||
| include::modules/authentication/proc-reducing-token-size.adoc[leveloffset=+1] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| :_mod-docs-content-type: PROCEDURE | ||
|
|
||
| [id="reducing-token-size"] | ||
| = Reducing the size of issued tokens | ||
|
|
||
| By default, | ||
| the authentication backend issues user identity tokens with ownership references of the user in the `ent` claim of the JSON Web Token (JWT) payload. | ||
| This makes it easier for consumers of the token to resolve ownership of the user. | ||
| However, depending on the shape of your organization and how you resolve ownership claims, | ||
| the tokens can grow large and lead to HTTP errors that prevent you from accessing parts of {product-very-short}. | ||
deerskindoll marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| Use the `omitIdentityTokenOwnershipClaim` flag to remove the `ent` claim from tokens and reduce their size. | ||
|
|
||
| [IMPORTANT] | ||
| ==== | ||
| Without the `ent` claim in the token, consumers of the token must call the `/v1/userinfo` endpoint on the auth backend to fetch the ownership references of the user. | ||
| However, there's usually no action required for the consumers. | ||
deerskindoll marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| Clients still receive the full set of claims during authentication, | ||
| and plugin backends that use the `UserInfoService` to access the ownership references from user credentials can call the `userinfo` endpoint if necessary. | ||
deerskindoll marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| ==== | ||
|
|
||
| .Procedure | ||
|
|
||
| . In the `app-config.yaml` file, set `omitIdentityTokenOwnershipClaim` to `true`: | ||
deerskindoll marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| + | ||
| [source,yaml] | ||
| ---- | ||
| auth: | ||
| omitIdentityTokenOwnershipClaim: true | ||
| ---- | ||
| + | ||
| [IMPORTANT] | ||
| ==== | ||
| When you enable the `omitIdentityTokenOwnershipClaim` flag, it is important that any custom sign-in resolvers directly return the result of the sign-in method. | ||
deerskindoll marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| Example of a correct setup:: | ||
|
|
||
| [source,yaml,subs="+attributes"] | ||
| ---- | ||
| return ctx.issueToken({ | ||
| claims: { sub: entityRef, ent: [entityRef] }, | ||
| }); | ||
deerskindoll marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| ---- | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.