Larry McCay created HADOOP-11717:
------------------------------------

             Summary: Add Redirecting WebSSO behavior with JWT Token in Hadoop 
Auth
                 Key: HADOOP-11717
                 URL: https://issues.apache.org/jira/browse/HADOOP-11717
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
            Reporter: Larry McCay
            Assignee: Larry McCay


Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.

The actual authentication is done by some external service that the handler 
will redirect to when there is no hadoop.auth cookie and no JWT token found in 
the incoming request.

Using JWT provides a number of benefits:

* It is not tied to any specific authentication mechanism - so buys us many SSO 
integrations
* It is cryptographically verifiable for determining whether it can be trusted
* Checking for expiration allows for a limited lifetime and window for 
compromised use

This will introduce the use of nimbus-jose-jwt library for processing, 
validating and parsing JWT tokens.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to