Re: [PR] [improve][broker] PIP-226: Add JWKS support for AuthenticationProviderToken [pulsar]

[via GitHub]

damienburke commented on code in PR #22215:
URL: https://github.com/apache/pulsar/pull/22215#discussion_r1517836936


##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java:
##########
@@ -458,4 +485,64 @@ public String getHeader(String name) {
             return super.getHeader(name);
         }
     }
+
+    @Slf4j
+    private static final class JwkResolver implements SigningKeyResolver {
+        @Setter
+        @Getter
+        private static class JwksData {
+            private List<Map<String, Object>> keys;
+        }
+
+        private final Map<String, Jwk> jwks;
+
+        public JwkResolver(String configValue) {
+            try {
+                byte[] bytes = AuthTokenUtils.readKeyFromUrl(configValue);
+                ObjectMapper objectMapper = ObjectMapperFactory.create();
+                JwksData data = objectMapper.reader().readValue(bytes, 
JwksData.class);
+                if (data == null || data.getKeys() == null || 
data.getKeys().isEmpty()) {
+                    log.warn("No keys in " + data);
+                    jwks = Collections.emptyMap();
+                    return;
+                }
+                jwks = new LinkedHashMap<>();
+                data.getKeys().forEach((n) -> {
+                    Jwk jwk = Jwk.fromValues(n);
+                    jwks.put(jwk.getId(), jwk);
+                });
+                if (log.isDebugEnabled()) {
+                    log.info("jwks: {}", jwks);
+                }
+            } catch (IOException e) {
+                log.error("Failed to get jwks from {}", configValue, e);
+                throw new IllegalArgumentException(e);
+            }
+        }
+
+        private Key get(String keyId) {

Review Comment:
   I think your logic is saying, if the JWKS file only contains one entry - 
ALWAYS use it to verify. Correct? If so, that does seem reasonable. So i think 
its the following statement I need help with:
   
   > Once all client uses the token with an id, you can add more keys to your 
JWKS.
   
   Our existing JWT creation process is set in stone. We for various reasons 
cannot update it, and those "legacy" JWTs will never have a kid. Not sure, but 
feels with your logic, we would be unable to migrate to multiple key support - 
and i feel we must support verifying JWTs with our existing, non-kid key AND 
future kid keys - at the same time. (which is supported by my logic). 
   
   Thanks for the collaboration @nodece 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org