-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document token format #369
Comments
Hello @nobe4 -- happy to take such a PR. Do note that we've disabled the "new" Vault 1.9.x format tokens by default in #298 -- SSCTs still exist but one has to manually opt in as the functionality isn't used without Vault Enterprise clustering that OpenBao lacks. (So only That said, IMO, I'd prefer tokens be treated as mostly opaque. Token size changed, so I think the regex may not match both short and long token formats, I'd expect a range operator or two explicit sizes based on types. My 2c., but I saw a lot of pain caused by adding SSCTs in system design that was too closely coupled to token size when perhaps being more forgiving would be better. :-) |
Hi @cipherboy thanks for your swift answer!
Gotcha, nice ⭐
I mostly agree with this. In the event that we want to "look for" OpenBao tokens on an automated basis, to prevent leaks, would a specific regexp work? How about this more relaxed one? |
I think that should suffice. Note here: https://developer.hashicorp.com/vault/docs/faq/ssct#q-what-token-changes-does-the-server-side-consistent-tokens-feature-introduce For the new token format ( |
Amazing, where do you think this should be documented? I am happy to open a PR :) |
I think your original location (https://openbao.org/docs/concepts/tokens/) is good :-) This repository has the same documentation structure as upstream so I think you'll find the patch should port somewhat cleanly :-) |
Is your feature request related to a problem? Please describe.
I opened hashicorp/vault#27151 and due to legal shenanigans ended up not contributing to
hashicorp/vault
I was wondering if this project would benefits from clarification towards the token format.
It seems that the code used for generating it is similar to vault's:
openbao/vault/token_store.go
Lines 997 to 1000 in 1800244
Happy to discuss this further!
Describe the solution you'd like
Having the token format documented.
Here's the patch I submitted in
hashicorp/vault
, which might be applicable with little updates to this repo, granted the correct place is found.Additional context
cc github/redacting-logger#48
cc hashicorp/vault#27151
The text was updated successfully, but these errors were encountered: