[jira] [Work logged] (KNOX-3040) Support multiple ways to verify JWT tokens

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3040?focusedWorklogId=925100&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-925100
 ]

ASF GitHub Bot logged work on KNOX-3040:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Jul/24 15:48
            Start Date: 09/Jul/24 15:48
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request, #924:
URL: https://github.com/apache/knox/pull/924

   ## What changes were proposed in this pull request?
   
   This PR is a followup to KNOX-3040 and adds support for multiple JWKS 
endpoints. Users can specify one JWKS endpoint or multiple comma separated JWKS 
endpoints as shown in following example.
   
   ```
              <param>
                   <name>knox.token.jwks.url</name>
                   <value>https://example.com/oauth2/keys?accountId=1234567890, 
https://www.googleapis.com/oauth2/v3/certs</value>
               </param>
   ``` 
   Note that the parameter name `knox.token.jwks.url` did not change. 
   
   This PR also fixes some deprecated classes and adds supports for JWKS 
caching and retries (just one retry). 
   TTL for JWKS caching is set to 2 hours. 
   
   ## How was this patch tested?
   
   Following is the log snippet of token verification from one valid and one 
invalid JWKS endpoints (https://example.com/oauth2/keys?accountId=1234567890, 
https://www.googleapis.com/oauth2/v3/certs)
   
   ```
   2024-07-08 23:06:08,004 bfc003e6-5d86-4b09-bf0d-a9f1565e0d60 ERROR 
token.state (DefaultTokenAuthorityService.java:verifyToken(270)) - Failed to 
verify token using JWKS endpoint https://www.googleapis.com/oauth2/v3/certs, 
reason: org.apache.knox.gateway.services.security.token.TokenServiceException: 
Cannot verify token.
   2024-07-08 23:06:13,977 bfc003e6-5d86-4b09-bf0d-a9f1565e0d60 INFO  
federation.jwt (AbstractJWTFilter.java:verifyTokenSignature(514)) - Token 
verification result using provided JWKS Url, verified: true
   ```
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 925100)
    Time Spent: 50m  (was: 40m)

> Support multiple ways to verify JWT tokens
> ------------------------------------------
>
>                 Key: KNOX-3040
>                 URL: https://issues.apache.org/jira/browse/KNOX-3040
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Currently we can only have one way to validate JWT token either 
> # Using JWKS endpoint 
> # Using PEM
> # Using the signing-key
> We should be able to support multiple verifications together. 
> This is an example configuration
> {code:java}
> <provider>
>             <role>federation</role>
>             <name>JWTProvider</name>
>             <enabled>true</enabled>
>             <param>
>                 <name>knox.token.use.cookie</name>
>                 <value>true</value>
>             </param>
>                       
>             <param>
>                 <name>knox.token.jwks.url</name>
>                 <value>https://my.idp.com/oauth/.wellknown</value>
>             </param>
>             <param>
>                 <name>knox.token.verification.pem</name>
>                 
> <value>MIIDaDCCAlCgAwIBAgIJAKFjn6W+gdAXMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNVBAYTAlVTMQ0wC...</value>
>             </param>
>             <param>
>                 <name>jwt.expected.issuer</name>
>                 <value>https://my.idp.com/</value>
>             </param>
>             <param>
>                 <name>knox.token.use.cookie</name>
>                 <value>true</value>
>             </param>
>         </provider>
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)