[
https://issues.apache.org/jira/browse/KNOX-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989078#comment-16989078
]
Larry McCay commented on KNOX-2146:
-----------------------------------
For HDP specific topics, you should engage support at Cloudera.
I am not following your assertion regarding public key vs public cert -
JWTProvider supports PEM encoded public cert or public key in PKI terminology.
We do not support shared secret based signatures.
If you are indeed setting a PEM encoded public cert as expected then perhaps
something went wrong with the export of it from your IDP?
Further, while you may indeed be able to configure JWTProvider to validate
3rd-party JWTs, I would suggest caution there as it is intended for use with
tokens from our KnoxToken service and we don't have any tests written for your
IDP. Anything that changes on either side can cause that to break.
Generally, you should use the mailing list rather than Jira for an inquiry like
this.
I do see that there is a lack of documentation for setting the PEM and will use
this Jira to track adding those details.
> Knox JWT token signature verification using public key
> ------------------------------------------------------
>
> Key: KNOX-2146
> URL: https://issues.apache.org/jira/browse/KNOX-2146
> Project: Apache Knox
> Issue Type: New Feature
> Components: KnoxSSO
> Affects Versions: 1.0.0
> Environment: Ubuntu 18.04, HDP 3.1
> Reporter: Matei C.
> Priority: Minor
>
> Hello,
> I have configured an Apache Knox (1.0.0) topology to accept 3rd party JWTs
> by following this [Cloudera
> guide|[https://community.cloudera.com/t5/Community-Articles/Knox-Accept-third-party-JWT/ta-p/248488]].
>
> I would also like to verify the 3rd party JWts based on their signature by
> adding my IdP's public key in PEM format for the JWT provider, but in the
> guide it is specified that only PEM certificates are accepted (' [...] *In
> current Knox version, public key is not supported, have to configure public
> certificate [...]*') and I have not found any relevant documentation from
> Knox on this subject.
>
> Can you please tell me if there is any solution to use public keys for JWT
> verification in Knox 1.0.0 ? If not, are there any plans to support this in
> future Knox releases ?
> P.S.:
> When adding the 'knox.token.verification.pem' parameter with the public key
> in the JWT provider of my topology I noticed the below error in my
> gateway.log, which does seem to confirm the public key limitation.
>
> {code:java}
> javax.servlet.ServletException: javax.servlet.ServletException:
> CertificateException - PEM may be corrupt
> {code}
>
> Regards,
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
