JSON bearer tokens in HTTP request headers #163
Labels
No labels
P0
P1
P2
P3
good first issue
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: TrueCloudLab/frostfs-http-gw#163
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
FrostFS SDK supports two serialization formats for bearer tokens:
Most FrostFS tools consider these variants equal and are able to handle serialized tokens in either format, e.g. frostfs-cli.
frostfs-http-gw accepts only base64 encoded protobuf binaries, and does not support JSON bearer tokens:
if buf = parse(&ctx.Request.Header); buf == nil {
continue
} else if data, err := base64.StdEncoding.DecodeString(string(buf)); err != nil {
lastErr = fmt.Errorf("can't base64-decode bearer token: %w", err)
continue
} else if err = tkn.Unmarshal(data); err != nil {
lastErr = fmt.Errorf("can't unmarshal bearer token: %w", err)
continue
}
I think we should discuss whether adding support for JSON bearer tokens to frostfs-http-gw makes sense.
Pros:
Cons:
Is your feature request related to a problem? Please describe.
I'm writing an application which uses bearer tokens for access to FrostFS container. Originally I was using JSON for on-disk token format because it's more human friendly and easier to debug/troubleshoot.
In my use case I needed to expose some objects via HTTP endpoint - and then I've found out that JSON tokens will not work with frostfs-http-gw. I've switched to protobuf binaries for on-disk format, so I'm not blocked in any way. But now I need a separate tool to view token fields whenever I'm troubleshooting access issues.
Describe the solution you'd like
Add support for JSON bearer tokens is HTTP request headers. This might be useful to third party app developers.
Describe alternatives you've considered
Leave token parser as is. After all, protobuf tokens work and are not that much of a hassle.
I think the size of the JSON was the issue last time we talked about it.
Since then
allowImpesonate
flag was introduced, which provides very short bearer tokens.On the other hand, bearer tokens with APE require binary encoded data anyway (see APEOverride -> Chains -> Raw).
Also JSON looks very weird in HTTP header, however cookies may store JSON token just fine.
I have no strong opinions for or against. If it makes someones life easier, we can do it.