Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] The jwt_header setting breaks compliance with HTTP/1.1 RFC #3886

Open
peternied opened this issue Dec 22, 2023 · 1 comment
Open

[Bug] The jwt_header setting breaks compliance with HTTP/1.1 RFC #3886

peternied opened this issue Dec 22, 2023 · 1 comment
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@peternied
Copy link
Member

peternied commented Dec 22, 2023
edited
Loading

Description

There is a setting jwt_header that allows customizing what header is used to transmit authorization information. Following the HTTP/1.1 RFC [1], the Authorization header is reserved for this use. By putting authorization information into a different header name, it could be log incorrectly, poorly handled, or even cause the request to be rejected depending on the client implementation. This feature should not be used.

Recommendation

Deprecate use of the jwt_header in the current OpenSearch version (v2.X.X) and on the next major version of OpenSearch (v3.0.0) remove it.

Additional Context
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Dec 22, 2023
@peternied peternied mentioned this issue Dec 22, 2023
Merged
3 tasks
willyborankin pushed a commit that referenced this issue Dec 22, 2023
@peternied
Add deprecation check for jwt_header setting (#3887)
3c566a4 
### Description
Add deprecation check for `jwt_header` setting

### Issues Resolved
- Related #3886

### Check List
- [ ] ~New functionality includes testing~
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this issue Dec 22, 2023
@github-actions
Add deprecation check for jwt_header setting (#3887)
21d14e0 
### Description
Add deprecation check for `jwt_header` setting

### Issues Resolved
- Related #3886

### Check List
- [ ] ~New functionality includes testing~
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
(cherry picked from commit 3c566a4)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@stephen-crawford
Copy link
Contributor

[Triage] Hi @peternied, thank you for filing this issue. This sounds like a good idea based off of the RFC for HTTP etc.

@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 8, 2024
prabhask5 pushed a commit to prabhask5/opensearch-security that referenced this issue Jan 11, 2024
@peternied @prabhask5
Add deprecation check for jwt_header setting (opensearch-project#3887)
06041cb 
### Description
Add deprecation check for `jwt_header` setting

### Issues Resolved
- Related opensearch-project#3886

### Check List
- [ ] ~New functionality includes testing~
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Prabhas Kurapati <prabhask@berkeley.edu>
dlin2028 pushed a commit to dlin2028/security that referenced this issue May 1, 2024
@peternied @dlin2028
Add deprecation check for jwt_header setting (opensearch-project#3887)
7ac73ef 
### Description
Add deprecation check for `jwt_header` setting

### Issues Resolved
- Related opensearch-project#3886

### Check List
- [ ] ~New functionality includes testing~
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peternied @stephen-crawford