chore(tokens): remove tokens without key_id (#10301)

This has been deprecated and warned about for a long while Fix #5519 Signed-off-by: Charly Molter <charly.molter@konghq.com>
kumahq · May 22, 2024 · 8eb0143 · 8eb0143
1 parent eb7fef2
commit 8eb0143
Show file tree

Hide file tree

Showing 6 changed files with 4 additions and 137 deletions.
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -14,6 +14,9 @@ With [#10250](https://github.com/kumahq/kuma/pull/10250) `MeshRetry` policies wi
 Prior to 2.8.x these were semantically valid but would create invalid Envoy configuration and would cause issues on the dataplane.
 Now this is rejected sooner to avoid service disruption.
 
+### Removal of legacy tokens
+
+Tokens issued from versions before 2.1.x needs to renewed before upgrading.
 
 ## Upgrade to `2.7.x`
 

diff --git a/pkg/core/tokens/compatibility_test.go b/pkg/core/tokens/compatibility_test.go
diff --git a/pkg/core/tokens/issuer_test.go b/pkg/core/tokens/issuer_test.go
@@ -32,9 +32,6 @@ func (t *TestClaims) ID() string {
 	return t.RegisteredClaims.ID
 }
 
-func (t *TestClaims) KeyIDFallback() {
-}
-
 func (t *TestClaims) SetRegisteredClaims(claims jwt.RegisteredClaims) {
 	t.RegisteredClaims = claims
 }

diff --git a/pkg/core/tokens/token.go b/pkg/core/tokens/token.go
@@ -14,10 +14,4 @@ type KeyID = string
 
 const KeyIDFallbackValue = "0"
 
-type KeyIDFallback interface {
-	// KeyIDFallback Marker function to indicate this can be used for tokens with v0
-	// This will be removed with https://github.com/kumahq/kuma/issues/5519
-	KeyIDFallback()
-}
-
 const KeyIDHeader = "kid" // standard JWT header that indicates which signing key we should use
diff --git a/pkg/core/tokens/validator.go b/pkg/core/tokens/validator.go
@@ -41,14 +41,7 @@ func (j *jwtTokenValidator) ParseWithValidation(ctx context.Context, rawToken To
 		var keyID KeyID
 		kid, exists := token.Header[KeyIDHeader]
 		if !exists {
-			if _, ok := claims.(KeyIDFallback); ok {
-				// KID wasn't supported in the past, so we use a marker interface to indicate which tokens were allowed
-				// This will be removed with https://github.com/kumahq/kuma/issues/5519
-				j.log.Info("[WARNING] Using token with KID header, you should rotate this token as it will not be valid in future versions of Kuma", "claims", claims, KeyIDHeader, 0)
-				keyID = KeyIDFallbackValue
-			} else {
-				return 0, fmt.Errorf("JWT token must have %s header", KeyIDHeader)
-			}
+			return 0, fmt.Errorf("JWT token must have %s header", KeyIDHeader)
 		} else {
 			keyID = kid.(string)
 		}

diff --git a/pkg/tokens/builtin/issuer/token.go b/pkg/tokens/builtin/issuer/token.go
@@ -38,9 +38,6 @@ func (d *DataplaneClaims) ID() string {
 	return d.RegisteredClaims.ID
 }
 
-func (d *DataplaneClaims) KeyIDFallback() {
-}
-
 func (d *DataplaneClaims) SetRegisteredClaims(claims jwt.RegisteredClaims) {
 	d.RegisteredClaims = claims
 }