[ https://issues.apache.org/jira/browse/KNOX-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994995#comment-16994995 ]
Kevin Risden commented on KNOX-2149: ------------------------------------ Ok so maybe I wasn't clear. I think you developed on top of v1.3.0. You want to create a new branch from master locally. Then cherry-pick your commits to that new branch. Use that new branch to open a PR against master. So when the PR opens it should be the one or few N commits difference between your branch and Knox master. > Knox JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS > verification url > --------------------------------------------------------------------------------------------- > > Key: KNOX-2149 > URL: https://issues.apache.org/jira/browse/KNOX-2149 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO > Reporter: Saravanan Sathyamoorthy > Assignee: Saravanan Sathyamoorthy > Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Current capability in Apache Knox - > Knox has pac4j provider > ([https://knox.apache.org/books/knox-0-12-0/user-guide.html#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect]) > that provides OIDC support ( > [https://knox.apache.org/books/knox-0-12-0/user-guide.html#For+OpenID+Connect+support:]) > However this only works for UI applications. > For REST API -> we need to use JWT token provider ( > [https://knox.apache.org/books/knox-0-12-0/user-guide.html#JWT+Provider]) > that takes .pem file ( certificate with public key to decrypt the token) as > argument. > Implementation class -> > [https://github.com/apache/knox/blob/master/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java] > - takes (public static final String SSO_VERIFICATION_PEM = > "sso.token.verification.pem" ) as argument. > This .pem file is parsed to get the public key to validate the token. > // token verification pem > String verificationPEM = > filterConfig.getInitParameter(SSO_VERIFICATION_PEM); > // setup the public key of the token issuer for verification > if (verificationPEM != null) { > publicKey = CertificateUtils.parseRSAPublicKey(verificationPEM); > } > > .Resolution: > Option 1 - We can change the code to pass the public key and use it for > token validation. Down side is every time we change the key there should be a > Knox config change. > Option 2 - We can change the code to pass the JWKS verification url and if a > key is changed - no knox config change is required. Change done to support > using JWKS verification url to validate the token : > We selected Option 2 to make things more robust. > Class JWTFederationFilter was changed to get an additional parameter (JWKS > verification url) and code to use this url to get the public key and then use > this to validate the token. This approach will make it easy to maange for key > rotation. > Library used is - [https://github.com/okta/okta-jwt-verifier-java] -- This message was sent by Atlassian Jira (v8.3.4#803005)