-
-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add optional id and clv to JWT claims #6052
Changes from 22 commits
15f1906
156bd02
de7e876
70f2f72
ef35d9f
0d4dfff
6233200
a63cd22
445cd00
74dde4a
0d5f268
b66e1b7
1377617
485da7a
d49c063
baa0ae4
4b8098c
2aa08fe
40e61e1
20dcfec
fef1859
262afb2
36844c3
10c6a05
cc5ffe4
8eb36c6
f4996d2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -33,7 +33,12 @@ You must generate a secret 32-byte (64 characters) hexadecimal string that will | |
|
||
### Configure Lodestar to locate the JWT secret | ||
|
||
When starting up a Lodestar beacon node in any configuration, ensure you add the `--jwt-secret $JWT_SECRET_PATH` flag to point to the saved secret key file. | ||
When starting up a Lodestar beacon node in any configuration, ensure you add the `--jwtSecret $JWT_SECRET_PATH` flag to point to the saved secret key file. | ||
|
||
### Set up and include identifiers in JWT tokens | ||
|
||
Lodestar auto-populates `clv` field in the claims of JWT authentication tokens with a non-configurable value `Lodestar/$CLIENT_VERSION` eg. `Lodestar/v1.3.0/2d0938e` to communicate the client's version. Lodestar also optionally includes `id` field in the claims with value `$JWT_ID` if the appropriate flag `--jwtId $JWT_ID` is added. | ||
`id` and `clv` are particularly useful when running multiple consensus-layer clients with the different JWT secrets which makes the execution-layer client difficult to choose which JWT secret to verify against due to the inability to distinguish between the different consensus-layer clients. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This might be confusing, as far as I am aware execution clients do not natively support multiplexing of consensus clients and I don't think this will ever be something that will be implemented. Without a multiplexer middleware like eleel it is not recommended to connect multiple CLs to a single EL. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I thought about the possible use case of configuring I am inclined to just remove this entirely because the point of this doc is to set up a beacon node. Explaining things in jwt claim and the option to add Man writing user doc is hard There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yeah, I rather see people using eleel come to the CLI reference to see if Lodestar has the option to set the jwt id
+1, I think should keep it simple here
Defintiely hard thing because it is quite subjective and user feedback is required in a lot of cases, @matthewkeil is working on a docs restructuring which should make it clearer on what details to include where. In my opinion
ensi321 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
### Ensure JWT is configured with your execution node | ||
|
||
|
@@ -54,7 +59,7 @@ Use the `--authrpc.jwtsecret` flag to configure the secret. Use their documentat | |
To start a Lodestar beacon run the command: | ||
|
||
```bash | ||
./lodestar beacon --network $NETWORK_NAME --jwt-secret $JWT_SECRET_PATH | ||
./lodestar beacon --network $NETWORK_NAME --jwtSecret $JWT_SECRET_PATH | ||
``` | ||
|
||
This will assume an execution-layer client is available at the default | ||
|
@@ -63,7 +68,7 @@ location of `https://localhost:8545`. | |
In case execution-layer clients are available at different locations, use `--execution.urls` to specify these locations in the command: | ||
|
||
```bash | ||
./lodestar beacon --network $NETWORK_NAME --jwt-secret $JWT_SECRET_PATH --execution.urls $EL_URL1 $EL_URL2 | ||
./lodestar beacon --network $NETWORK_NAME --jwtSecret $JWT_SECRET_PATH --execution.urls $EL_URL1 $EL_URL2 | ||
``` | ||
|
||
Immediately you should see confirmation that the node has started | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why change this flag? I think yargs supports both notations and the
--jwt-secret
flag is kind of standarized across clientsThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kinda, but not really
--ee-jwt-secret-file
(ref)--execution-jwt
(ref)--jwt-secret
(ref)--jwt-secret
(ref)For Lodestar,
--jwt-secret
is currently the only commonly used flag which uses different casing. I'd recommend we use the same standard (camelCase) for this flag as well.