You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ki...@apache.org on 2019/01/24 22:23:25 UTC

[trafficserver] branch master updated: Updating uri_signing docs to reflect new RFC changes

This is an automated email from the ASF dual-hosted git repository.

kichan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 90e51a2  Updating uri_signing docs to reflect new RFC changes
90e51a2 is described below

commit 90e51a2c47209a5342fbefb63128e9d6d9cfbc05
Author: Dylan Souza <dy...@comcast.com>
AuthorDate: Thu Jan 24 18:33:11 2019 +0000

    Updating uri_signing docs to reflect new RFC changes
---
 plugins/experimental/uri_signing/README.md | 34 ++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/plugins/experimental/uri_signing/README.md b/plugins/experimental/uri_signing/README.md
index f4fef0c..5dc8789 100644
--- a/plugins/experimental/uri_signing/README.md
+++ b/plugins/experimental/uri_signing/README.md
@@ -2,7 +2,7 @@ URI Signing Plugin
 ==================
 
 This remap plugin implements the draft URI Signing protocol documented here:
-https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-12 .
+https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-16 .
 
 It takes a single argument: the name of a config file that contains key information.
 
@@ -17,6 +17,8 @@ this plugin gets the URI.
 Config
 ------
 
+### Keys
+
 The config file should be a JSON object that maps issuer names to JWK-sets.
 Exactly one of these JWK-sets must have an additional member indicating the
 renewal key.
@@ -75,6 +77,26 @@ It's worth noting that multiple issuers can provide `auth_directives`.
 Each issuer will be processed in order and any issuer can provide access to
 a path.
 
+### Token Stripping
+
+When The boolean strip_token parameter is set to true, the plugin removes the 
+token from both the url that is sent upstream to the origin and the url that 
+is used as the cache key. It can be set like this:
+
+    {
+      "Kabletown URI Authority": {
+        "renewal_kid": "Second Key",
+        "strip_token" : true,
+        "auth_directives": [
+          ⋮
+        ]
+        "keys": [
+          ⋮
+        ]
+    }
+
+The strip_token parameter defaults to false and should be set by only one issuer.
+
 Usage
 -----
 
@@ -94,12 +116,14 @@ Path parameters will not be searched for JWTs.
 The following claims are understood:
 
   - `iss`: Must be present. The issuer is used to locate the key for verification.
-  - `sub`: Validated last, after key verification. **Only `uri-regex` is supported!**
+  - `sub`: May be present, but is not validated.
   - `exp`: Expired tokens are not valid.
   - `iat`: May be present, but is not validated.
   - `cdniv`: Must be missing or 1.
-  - `cdnistt`: If present, must be 1.
+  - `cdniuc`: Validated last, after key verificationD. **Only `regex` is supported!**
   - `cdniets`: If cdnistt is 1, this must be present and non-zero.
+  - `cdnistt`: If present, must be 1.
+  - `cdnistd`: If present, must be 0.
 
 ### Unsupported Claims
 
@@ -108,8 +132,10 @@ These claims are not supported. If they are present, the token will not validate
   - `aud`
   - `nbf`
   - `jti`
+  - `cdnicrit`
+  - `cdniip`
 
-In addition, the `sub` containers of `uri`, `uri-pattern`, and `uri-hash` are
+In addition, the `cdniuc` container of `hash` is 
 **not supported**.
 
 ### Token Renewal