[GitHub] [pulsar] michaeljmarshall commented on pull request #19849: [feat] PIP-257: Add AuthenticationProviderOpenID

Fri, 24 Mar 2023 12:54:33 -0700 


michaeljmarshall commented on PR #19849:
URL: https://github.com/apache/pulsar/pull/19849#issuecomment-1483336721

   > I didn't notice any checks around the intended audience of the token. 
Maybe I missed it. I believe that the Pulsar cluster should have an associated 
audience that all tokens would be aimed at.
   
   @EronWright - This is present `AuthenticationProviderOpenID` class. 
Operators will configure `openIDAllowedAudiences` in the conf file and then the 
class uses that set of audiences when validating the token with this code:
   
   ```java
           JWTVerifier verifier = JWT.require(alg)
                   .acceptLeeway(acceptedTimeLeewaySeconds)
                   .withAnyOfAudience(allowedAudiences)
                   .withClaimPresence(RegisteredClaims.ISSUED_AT)
                   .withClaimPresence(RegisteredClaims.EXPIRES_AT)
                   .withClaimPresence(RegisteredClaims.NOT_BEFORE)
                   .withClaimPresence(RegisteredClaims.SUBJECT)
                   .build();
   ```
   
   The auth0 library used above offers `withAnyOfAudience` and 
`withAllOfAudience`. I am not too opinionated about which is correct, but it 
seems like we want operators to specify the set of audiences they will accept 
and then the token should have one of those audiences.
   
   Note that I verify the `allowedAudiences` set with this logic:
   
   ```java
       /**
        * Validate the configured allow list of allowedAudiences. The 
allowedAudiences must be set because
        * JWT must have an audience claim.
        * See 
https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation.
        * @param allowedAudiences
        * @return the validated audiences
        */
       String[] validateAllowedAudiences(Set<String> allowedAudiences) {
           if (allowedAudiences == null || allowedAudiences.isEmpty()) {
               throw new IllegalArgumentException("Missing configured value 
for: " + ALLOWED_AUDIENCES);
           }
           return allowedAudiences.toArray(new String[0]);
       }
   ```
   
   Essentially, an operator will have to supply an audience in order to use the 
authentication provider.
   
   (All code snippets are from the PR in its current form. I copied them to 
simplify our discussion.)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to