serviceaccounts: Add JWT KeyIDs to tokens #78502
Conversation
k8s-ci-robot
added
release-note
|
Welcome @ahmedtd! |
k8s-ci-robot
added
needs-priority
|
Hi @ahmedtd. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
cncf-cla: yes
|
/assign @liggitt |
|
IMO a change like this requires more thought and possibly a KEP. Also is there any real performance difference with trying all combinations when we have the token cache? |
|
I'm happy to put together a KEP if you think it's necessary. To add some context, this is part of the work we're (mikedanese, awly, alexcope), doing within Google to let Google IAM trust tokens issued by the cluster's OIDC issuer (GKE Workload Identity [1]). The performance difference here is not for any component within the Kubernetes cluster, but for the OIDC relying party that is verifying the tokens (Google IAM in our case, but any other OIDC relying party should see the same benefit). To verify a token, the relying party needs to fetch the identity provider's JWK public keys from it's well-known endpoint. There could be several keys advertised here (though there aren't in Kubernetes' case). To verify the token, each of the advertised keys needs to be tried, until the one that signed the token originally is found. Key IDs let the relying party skip these multiple expensive operations and jump directly to the correct key. Additionally, the relying party caches the Identity Provider's public keys for a period of time, to avoid slamming the identity provider if with traffic proportional to the traffic the relying party is experiencing. Seeing a new Key ID triggers the relying party to dump its cache and re-fetch keys. (This behavior might be specific to Google IAM, but it seems like most relying parties would need to make a similar choice). Without this trigger, the cache TTL needs to be low enough to not cause a significant outage if the identity provider rotates its keys. [1] https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity |
Let us start with a discussion on the sig-auth biweekly meeting. This seems highly related to kubernetes/enhancements#704 and kubernetes/community#2314
Seems like you could simply re-use the token cache logic from kube to avoid this cost. I think you would want a short lived cache anyway.
You could just re-fetch the keys when none match the token right (with some smarts around how often you are willing to do that)?
My general hesitation here is that we are expanding the API surface that we expose external components (and I am not sure we actually need to do that). |
Sounds good! You're right, I think this behavior needs to be part of this proposal. (The JWKS url is required to specify key IDs if it advertises multiple keys).
Can you point me to the code you're talking about? I've done a little bit of digging, but I can't figure out what you're referring to.
Yes, the key ID cache-dumping behavior originally seemed to be unnecessary to me, but it is pointed to in the OpenID Connect spec. I'm not totally sure of the rationale. |
pkg/serviceaccount/jwt.go
Outdated
| // KeyID helps OIDC verifiers cope with key rotations. Making the | ||
| // derivation non-reversible makes it impossible for someone to | ||
| // accidentally obtain the real key from the key ID and use it for token | ||
| // validation. |
There was a problem hiding this comment.
Even though the KeyID is generated using a one-way hash of the public key, is it useful for bad actors to collect JWTs they can assert were signed with the same private key?
There was a problem hiding this comment.
It seems like that's already possible, with some effort — the cluster advertises its public keys, and it's easy to test that a given JWT was signed by a given key.
There was a problem hiding this comment.
Oh, interesting. Thanks for the additional information.
pkg/serviceaccount/jwt.go
Outdated
| // accidentally obtain the real key from the key ID and use it for token | ||
| // validation. | ||
|
|
||
| publicKeyDERBytes, err := x509.MarshalPKIXPublicKey(&keyPair.PublicKey) |
There was a problem hiding this comment.
extract this to a function and share it between RSA and ECDSA
pkg/serviceaccount/jwt.go
Outdated
| signer, err := jose.NewSigner( | ||
| jose.SigningKey{ | ||
| Algorithm: alg, | ||
| Key: opaqueSigner, |
There was a problem hiding this comment.
Opaque signers should also forward key ids:
KeyID: opaqueSigner.Public().KeyID
Key rotation is going to be tricky though.
There was a problem hiding this comment.
Actually, I spoke too soon --- SigningKey doesn't have a KeyID field. Is it safe to change the Key field from opaqueSigner to a JSONWebKey that wraps opaqueSigner?
signer, err := jose.NewSigner(
jose.SigningKey{
Algorithm: alg,
Key: &jose.JSONWebKey{
Algorithm: alg,
Key: opaqueSigner,
KeyID: opaqueSigner.Public().KeyID,
Use: "sig",
},
},
nil
)
pkg/serviceaccount/jwt.go
Outdated
| ) | ||
|
|
||
| if err != nil { | ||
| return nil, errors.Wrapf(err, "failed to create signer") |
There was a problem hiding this comment.
please, not yet :) I'll learn what Wrapf does when it's in the stdlib (maybe go1.13).
There was a problem hiding this comment.
Done. It looks like what's coming in 1.13 is not Wrapf, but instead a new format code for Errorf ("%w")
This is primarily useful for relying parties of the service account issuer that cannot use TokenReview. A kid change signals that the verifying client needs to refetch keys. |
ahmedtd
force-pushed
the
jwt-keyid
branch
3 times, most recently
from
f483f65 to
aa26c1d
Compare
|
@enj We discussed this at the last sig-auth meeting. The only concerns that were raised were
|
|
Would it be easier to just at an extra header? kubernetes/vendor/gopkg.in/square/go-jose.v2/signing.go Lines 53 to 56 in 2837c32 |
I can't tell what you're referring to here. Can you give me some more context? |
| func signerFromOpaqueSigner(opaqueSigner jose.OpaqueSigner) (jose.Signer, error) { | ||
| alg := jose.SignatureAlgorithm(opaqueSigner.Public().Algorithm) | ||
|
|
||
| signer, err := jose.NewSigner( |
There was a problem hiding this comment.
return jose.NewSigner. You decorate the error already above.
There was a problem hiding this comment.
I feel like it's important for debuggability to decorate the errors at the point they enter the kubernetes codebase from our dependencies.
That way, someone trying to debug this code doesn't have to try to guess which library call the error they're seeing came out of.
| KeyID: keyID, | ||
| Use: "sig", | ||
| } | ||
|
|
||
| signer, err := jose.NewSigner( |
There was a problem hiding this comment.
I feel like it's important for debuggability to decorate the errors at the point they enter the kubernetes codebase from our dependencies.
That way, someone trying to debug this code doesn't have to try to guess which library call the error they're seeing came out of.
pkg/serviceaccount/jwt_test.go
Outdated
| t.Fatalf("Error checking for key ID: couldn't parse token: %v", err) | ||
| } | ||
|
|
||
| if jws.Signatures[0].Header.KeyID == "" { |
There was a problem hiding this comment.
This check seems unnecessary given the one below.
There was a problem hiding this comment.
I feel like it's important for debuggability to decorate the errors at the point they enter the kubernetes codebase from our dependencies.
That way, someone trying to debug this code doesn't have to try to guess which library call the error they're seeing came out of.
pkg/serviceaccount/jwt_test.go
Outdated
| } | ||
|
|
||
| if jws.Signatures[0].Header.KeyID != expectedKeyID { | ||
| t.Fatalf("Token %q has the wrong KeyID (got %q, want %q)", jwsString, jws.Signatures[0].Header.KeyID, expectedKeyID) |
mikedanese
added
the
priority/important-longterm
k8s-ci-robot
removed
the
needs-priority
This commit fills out the JWT "kid" (KeyID) field on most
serviceaccount tokens we create. The KeyID value we use is derived
from the public key of keypair that backs the cluster's OIDC issuer.
OIDC verifiers use the KeyID to smoothly cope with key rotations:
* During a rotation, the verifier will have multiple keys cached
from the issuer, any of which could have signed the token being
verified. KeyIDs let the verifier pick the appropriate key
without having to try each one.
* Seeing a new KeyID is a trigger for the verifier to invalidate its
cached keys and fetch the new set of valid keys from the identity
provider.
The value we use for the KeyID is derived from the identity provider's
public key by serializing it in DER format, taking the SHA256 hash,
and then urlsafe base64-encoding it. This gives a value that is
strongly bound to the key, but can't be reversed to obtain the public
key, which keeps people from being tempted to derive the key from the
key ID and using that for verification.
Tokens based on jose OpaqueSigners are omitted for now --- I don't see
any way to actually run the API server that results in an OpaqueSigner
being used.
mikedanese
added
ok-to-test
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ahmedtd, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| // pick the correct key for verification when the identity party advertises | ||
| // multiple keys. | ||
| // | ||
| // Making the derivation non-reversible makes it impossible for someone to |
There was a problem hiding this comment.
Technically someone could just build the hash from the public key. But that would be silly to guard against.
There was a problem hiding this comment.
heh, ya. good point. it's just an arbitrary value and the choice doesn't have security implications unless you make a really bad decision. This hash is nice because it's not going to change if the key is not rotated and (most likely) going to change when the key is rotated but that's probably the extent of it.
|
I only scanned the code, but including the key ID sounds fine to me. 👍 I do think we need to declare that all service account tokens are not opaque since using the key ID implies structure. |
Feel free to review the KEP so we can start making changes :). kubernetes/enhancements#1205 I'd like to see GA of TokenRequest in 1.17 |
|
/retest |
This commit fills out the JWT "kid" (KeyID) field on most serviceaccount tokens we create. The KeyID value we use is derived from the public key of keypair that backs the cluster's OIDC issuer.
OIDC verifiers use the KeyID to smoothly cope with key rotations:
During a rotation, the verifier will have multiple keys cached from the issuer, any of which could have signed the token being verified. KeyIDs let the verifier pick the appropriate key without having to try each one.
Seeing a new KeyID is a trigger for the verifier to invalidate its cached keys and fetch the new set of valid keys from the identity provider.
The value we use for the KeyID is derived from the identity provider's public key by serializing it in DER format, taking the SHA256 hash, and then urlsafe base64-encoding it. This gives a value that is strongly bound to the key, but can't be reversed to obtain the public key, which keeps people from being tempted to derive the key from the key ID and using that for verification.
Tokens based on jose OpaqueSigners are omitted for now --- I don't see any way to actually run the API server that results in an OpaqueSigner being used.
/kind feature
/sig auth
Does this PR introduce a user-facing change?: