Custom Verification additional request to auth

dawidszafranski · August 2, 2021, 3:34pm

Hello !

I have a question about authentication in custom verification flow.

Would it be possible to send additional request to authenticate user to get JWT token before executing verification url? If so, how can I do that?

Thanks in advance!

TCShain · August 3, 2021, 10:24pm

HI Dawid,

There could be some options here, but we likely need additional details.

Would these steps appear to be inline with your requirements?

pull jwt from token api (or wtvr mechanism delivers jwt)

store jwt in harness secret

construct api call to verification source URL/payload to include JWT (this may require investigation in order to automate)

refresh jwt on some interval?

What expiration will your JWTs have?

dawidszafranski · August 5, 2021, 11:43am

Hi !
Thanks for quick answer.

Yeah that was initially planned.
I can create cron job which will make request to Auth provider and save token as harness secret.
But I thought I will be able to do it without additional services / serverless functions.
Ideally would be to make request directly from verification config and grab JWT with some regexp or sth like this.

In my current flow when the Auth provider is AzureAD I will have to create service and pipeline to that to safe deploy and inject AD credentials. I’m looking for quicker/less complicated solution.

The token lasts for ~1h.

TCShain · August 10, 2021, 4:35pm

You’re welcome! Now take my apology for this delayed reply!

I believe I understand your use-case and design. To my knowledge, this functionality does not exist today.

Let me see if any colleagues have other thoughts or know if this exists as a feature request.
I cannot say that it’s a regularly encountered authorization pattern, though I can certainly understand the value you’re proposing.

dawidszafranski · August 23, 2021, 12:08pm

Thank you @TCShain. We need this asap so I think the best way will be to go with rotating JWT in Azure KV and pull it from secret manager.

TCShain · August 30, 2021, 12:19pm

I’ve been able to verify that the process I outlined above sounds like the ideal approach for your use case.

Secrets are supported in headers for requests made to custom CV metric sources.

Combining this with the secret manager integration with Azure KV, should allow for a simple hourly cron task to retrieve an active JWT and update the Azure KV object with the new value.

In this way, any new query of that custom CV source will be using the most up-to-date JWT; gracefully handling your token expirations.

Let me know if you have any questions or trouble!