moresandeep opened a new pull request, #924:
URL: https://github.com/apache/knox/pull/924
## What changes were proposed in this pull request?
This PR is a followup to KNOX-3040 and adds support for multiple JWKS
endpoints. Users can specify one JWKS endpoint or multiple comma separated JWKS
endpoints as shown in following example.
```
<param>
<name>knox.token.jwks.url</name>
<value>https://example.com/oauth2/keys?accountId=1234567890,
https://www.googleapis.com/oauth2/v3/certs</value>
</param>
```
Note that the parameter name `knox.token.jwks.url` did not change.
This PR also fixes some deprecated classes and adds supports for JWKS
caching and retries (just one retry).
TTL for JWKS caching is set to 2 hours.
## How was this patch tested?
Following is the log snippet of token verification from one valid and one
invalid JWKS endpoints (https://example.com/oauth2/keys?accountId=1234567890,
https://www.googleapis.com/oauth2/v3/certs)
```
2024-07-08 23:06:08,004 bfc003e6-5d86-4b09-bf0d-a9f1565e0d60 ERROR
token.state (DefaultTokenAuthorityService.java:verifyToken(270)) - Failed to
verify token using JWKS endpoint https://www.googleapis.com/oauth2/v3/certs,
reason: org.apache.knox.gateway.services.security.token.TokenServiceException:
Cannot verify token.
2024-07-08 23:06:13,977 bfc003e6-5d86-4b09-bf0d-a9f1565e0d60 INFO
federation.jwt (AbstractJWTFilter.java:verifyTokenSignature(514)) - Token
verification result using provided JWKS Url, verified: true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
