Re: [PR] [improve][broker] PIP-226: Add JWKS support for AuthenticationProviderToken [pulsar]

[via GitHub]

nodece commented on code in PR #22215:
URL: https://github.com/apache/pulsar/pull/22215#discussion_r1517556832


##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java:
##########
@@ -458,4 +485,64 @@ public String getHeader(String name) {
             return super.getHeader(name);
         }
     }
+
+    @Slf4j
+    private static final class JwkResolver implements SigningKeyResolver {
+        @Setter
+        @Getter
+        private static class JwksData {
+            private List<Map<String, Object>> keys;
+        }
+
+        private final Map<String, Jwk> jwks;
+
+        public JwkResolver(String configValue) {
+            try {
+                byte[] bytes = AuthTokenUtils.readKeyFromUrl(configValue);
+                ObjectMapper objectMapper = ObjectMapperFactory.create();
+                JwksData data = objectMapper.reader().readValue(bytes, 
JwksData.class);
+                if (data == null || data.getKeys() == null || 
data.getKeys().isEmpty()) {
+                    log.warn("No keys in " + data);
+                    jwks = Collections.emptyMap();
+                    return;
+                }
+                jwks = new LinkedHashMap<>();
+                data.getKeys().forEach((n) -> {
+                    Jwk jwk = Jwk.fromValues(n);
+                    jwks.put(jwk.getId(), jwk);
+                });
+                if (log.isDebugEnabled()) {
+                    log.info("jwks: {}", jwks);
+                }
+            } catch (IOException e) {
+                log.error("Failed to get jwks from {}", configValue, e);
+                throw new IllegalArgumentException(e);
+            }
+        }
+
+        private Key get(String keyId) {

Review Comment:
   > If the kid is null, and you only have one key in the JWKS file, we can use 
this key to verify your token.
   > the JWKS file would need to store both.
   
   Sorry, this kid should be your token id.
   
   You only set up one key in the JWKS, which must have the kid. Regardless of 
whether your token contains an id, you can obtain the correct key, so like:
   
   JWKS hashmap:
   ```
   kid1 -> JWK1
   ```
   
   | your token id | your JWKS | 
   | --- | --- |
   | null | JWK1 |
   | kid1 | JWK1 |
   | kid2 | JWK1 |
   
   > So to support the migration use case we could introduce a new optional 
field into the JwkResolver
   
   This is more complex rather than my way.
   
   Once all client uses the token with an id, you can add more keys to your 
JWKS.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org