Skip to content

fix(ers): Do not use auth header jwt in MultiStrategy ERS #2862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(ers): Do not use auth header jwt in MultiStrategy ERS #2862

wants to merge 4 commits into from

Conversation

@elizabethhealy
Copy link
Member

@elizabethhealy elizabethhealy commented Oct 31, 2025

Proposed Changes

  • the ERS should not use the auth JWT, it should us the entities or token provided in the request body
  • the V1 ERS needed to add a value to the context so it could be used by one of the providers

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@elizabethhealy elizabethhealy changed the title fix(entityresolution): Use entities passed in request instead of auth jwt fix(entityresolution): Do not use auth header jwt in MultiStrategy ERS Oct 31, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 164.338809ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 97.698374ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 367.728436ms
Throughput 271.94 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.569872722s
Average Latency 384.149749ms
Throughput 129.63 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.955548305s
Average Latency 268.651294ms
Throughput 185.49 requests/second

@elizabethhealy elizabethhealy changed the title fix(entityresolution): Do not use auth header jwt in MultiStrategy ERS fix(ers): Do not use auth header jwt in MultiStrategy ERS Oct 31, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

X-Test Results

opentdfplatformR0SLWK.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2862
✅ java-pull-2862
✅ go-pull-2862

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 161.944654ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 108.231258ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 357.100711ms
Throughput 280.03 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.988337218s
Average Latency 388.077486ms
Throughput 128.24 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.504329326s
Average Latency 273.958307ms
Throughput 181.79 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 190.694599ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 113.281087ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 366.249846ms
Throughput 273.04 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.551078164s
Average Latency 403.629903ms
Throughput 123.30 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 28.123354412s
Average Latency 280.528963ms
Throughput 177.79 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

X-Test Results

opentdfplatformJJCG2Z.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
bats-test-results
✅ go-v0.4.34
✅ js-pull-2862
✅ java-pull-2862
✅ go-pull-2862

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 149.059113ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 82.077857ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 364.148096ms
Throughput 274.61 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.771798633s
Average Latency 386.013992ms
Throughput 128.96 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.232461824s
Average Latency 271.447957ms
Throughput 183.60 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

X-Test Results

opentdfplatformGZA8VV.dockerbuild
✅ java-v0.4.34
cukes-report
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2862
✅ java-pull-2862
✅ go-pull-2862

@elizabethhealy elizabethhealy marked this pull request as ready for review October 31, 2025 19:26
@elizabethhealy elizabethhealy requested a review from a team as a code owner October 31, 2025 19:26
@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

X-Test Results

opentdfplatform86LMPN.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2862
✅ java-pull-2862
✅ go-pull-2862

alkalescent
alkalescent reviewed Nov 3, 2025
View reviewed changes
service/entityresolution/multi-strategy/v2/registration.go
Comment on lines +66 to 89
var claimsMap types.JWTClaims
switch entityV2.GetEntityType().(type) {
case *entity.Entity_Claims:
claims := entityV2.GetClaims()
if claims != nil {
// First unmarshal to structpb.Struct
var claimsStruct structpb.Struct
err := claims.UnmarshalTo(&claimsStruct)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("error unpacking anypb.Any to structpb.Struct: %w", err))
}
// Convert to map[string]interface{}
claimsMap = claimsStruct.AsMap()
}
default:
entityBytes, err := protojson.Marshal(entityV2)
if err != nil {
return nil, err
}
err = json.Unmarshal(entityBytes, &claimsMap)
if err != nil {
return nil, err
}
}
Copy link
Contributor

@alkalescent alkalescent Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given this logic block is almost identical to the one in the v2 version (besides getting the claims). Is there a way to abstract this logic to a function?

Copy link
Member Author

@elizabethhealy elizabethhealy Nov 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call out, do you know if we have a recommended strategy around shared code for v1/v2 versions? looking at the rest of the code at least within the ERS implementations it seems like its all duplication instead of shared functions, so i kind of just followed that strategy, but if thats not the case we should refactor across ERS

Copy link
Contributor

@jakedoublev jakedoublev Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We copied over the entirety of the v2 ERS initially when it was scaffolded for Auth Service v2. As the intention is to deprecate the entirety of ERS v1 when Auth Service v1 is deprecated (within the next few releases), I would not recommend expending too much effort on DRYness unless the DRY changes also benefit logic within the single v2 service version alone.

Copy link
Member Author

@elizabethhealy elizabethhealy Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ya the logic doesnt really repeat within v2 so not sure a separate func would be needed, also not sure where i would put that if it were to be shared between the two, we dont really have a place for that right now. so i may just opt to go with the duplication for now if thats ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakedoublev jakedoublev jakedoublev left review comments

@alkalescent alkalescent Awaiting requested review from alkalescent

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@elizabethhealy @alkalescent @jakedoublev