Dynamically construct `jwk_set_url` by using kid as part of the URL · grafana/grafana#109373

(3 评论) (1 反应) (1 负责人)TypeScript (73,744 star) (13,868 fork)batch import

area/authautomated-triagegood first issuetype/feature-request

描述

Why is this needed:

Opening ticket based on prior discussion

I'm using Grafana behind AWS load-balancer, which is responsible for authentication and is then providing a JWT in the request header to Grafana. However, I can't configure the JWT auth due to Grafana requiring statically configured jwk_set_url, which is not possible in this case, since AWS load-balancer has a different URL for each key, as explained in the documentation.

What would you like to be added:

I'd like to be able to either reference some key in jwk_set_url or use a different config value to use a different url based on the kid, like jwk_url_format

[auth.jwt]
enabled = true
header_name = x-amzn-oidc-data
username_claim = sub
email_claim = email
jwk_set_url = https://public-keys.auth.elb.eu-west-1.amazonaws.com/{{kid}}/.well-known/jwks.json
# or
jwk_url_format = https://public-keys.auth.elb.eu-west-1.amazonaws.com/{{kid}}

Who is this feature for?

This feature is for people either using AWS load balancer for auth, or comparable JWT proxies which don't have one nice jwk_set_url.

贡献者指南

技术栈: gotypescript
领域: backendauthenticationsecurity
议题类型: feature
难度: 3
预计时间: 1-2 days
活动状态: blocked
清晰度: clear
前置要求: Go programmingGrafana plugin developmentJWT authentication
新手友好度: 35
研究方向: The issue requests dynamic jwk set url using kid. Start by examining Grafana's JWT auth configuration in the Go backend, likely in pkg/login/jwt.go or similar. The prior discussion link provides context. The solution would involve modifying the config parsing to allow template variables in jwk set url. Look for existing key set URL handling and implement string replacement with the kid from the JWT header. Ensure backward compatibility and update documentation.