----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56753/#review168352 -----------------------------------------------------------
3rdparty/libprocess/src/jwt_authenticator.cpp Lines 75-97 (patched) <https://reviews.apache.org/r/56753/#comment240561> Strictly speaking, each element of the vector passed to the `Unauthorized()` constructor should be a separate challenge; in this case, each element is an attribute of a single challenge. We should pass these as a single string, in case the constructor of `Unauthorized` changes in the future to set multiple 'WWW-Authenticate' headers when there are multiple challenges. I would recommend: ``` result.unauthorized = Unauthorized({ "Bearer realm=\"" + realm_ + "\", " "error=\"invalid_token\", " "error_description=\"Malformed 'Authorization' header\""}); ``` 3rdparty/libprocess/src/jwt_authenticator.cpp Lines 109-112 (patched) <https://reviews.apache.org/r/56753/#comment240570> It's possible here that the JWT has set an empty JSON object in the payload, and we have no claims. Since the authenticator manager requires that either `Principal.value` or `Principal.claims` be set, we should check before this loop that the claims are non-empty. The authenticator manager would catch it, but we can provide a better error message (and an Unauthorized response) if we do the check here. - Greg Mann On March 8, 2017, 2:24 p.m., Jan Schlicht wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56753/ > ----------------------------------------------------------- > > (Updated March 8, 2017, 2:24 p.m.) > > > Review request for mesos, Alexander Rojas and Greg Mann. > > > Bugs: MESOS-7001 > https://issues.apache.org/jira/browse/MESOS-7001 > > > Repository: mesos > > > Description > ------- > > This HTTP authenticator extracts a JWT from the requests' authorization > header using the 'Bearer' schema and validates it against a secret using > HMAC SHA256. The 'sub' claim of the JWT is the extracted principal, all > other claims will be additional labels of the 'Principal'. > > > Diffs > ----- > > 3rdparty/libprocess/Makefile.am 75386184108214e67a58c328258ec204099d638c > 3rdparty/libprocess/include/process/authenticator.hpp > 00660f42cd4b707d955745bbfea5ffec73f690d6 > 3rdparty/libprocess/src/jwt_authenticator.cpp PRE-CREATION > 3rdparty/libprocess/src/tests/http_tests.cpp > a0e23c2300f9f6b9d1143ee1eb115bbf24adf92e > > > Diff: https://reviews.apache.org/r/56753/diff/6/ > > > Testing > ------- > > make check > > > Thanks, > > Jan Schlicht > >
