[
https://issues.apache.org/jira/browse/KNOX-3052?focusedWorklogId=927265&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-927265
]
ASF GitHub Bot logged work on KNOX-3052:
----------------------------------------
Author: ASF GitHub Bot
Created on: 24/Jul/24 16:20
Start Date: 24/Jul/24 16:20
Worklog Time Spent: 10m
Work Description: lmccay opened a new pull request, #926:
URL: https://github.com/apache/knox/pull/926
## What changes were proposed in this pull request?
While we have a change to introduce the ability to use multiple JWKS Urls to
verify a token signature, without this change any tokens would need to have the
same Issuer. This isn't ideal and limits the flexibility that we are looking
for.
This change is only an iteration beyond that approach but still not ideal.
We will want to have a better isolation of the expected claims, algorithms, etc
- per token. This will suffice for now but we will revisit it in the near
future for better isolation.
Here we will simply change the expectedIssuers param to be a List of Strings
from a comma separated list and introduce a keyword "NONE" to indicate even
though there are expected audiences for some tokens, it is also possible to
accept a token with no audience as well. This is an opt-in only feature that
requires the admin to configure "NONE" as an acceptable audience claim. This
will pass when there are no audiences in the token or even if there is one
called "NONE". Again, this will be revisited in the future and done better.
## How was this patch tested?
New unit tests were added and existing tests run along with the new tests.
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
Issue Time Tracking
-------------------
Worklog Id: (was: 927265)
Remaining Estimate: 0h
Time Spent: 10m
> Allow Multiple Issuers and JWTs with no Audience in same Topology as Others
> ---------------------------------------------------------------------------
>
> Key: KNOX-3052
> URL: https://issues.apache.org/jira/browse/KNOX-3052
> Project: Apache Knox
> Issue Type: Improvement
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> While we have a change to introduce the ability to use multiple JWKS Urls to
> verify a token signature, without this change any tokens would need to have
> the same Issuer. This isn't ideal and limits the flexibility that we are
> looking for.
> This change is only an iteration beyond that approach but still not ideal. We
> will want to have a better isolation of the expected claims, algorithms, etc
> - per token. This will suffice for now but we will revisit it in the near
> future for better isolation.
> Here we will simply change the expectedIssuers param to be a List of Strings
> from a comma separated list and introduce a keyword "NONE" to indicate even
> though there are expected audiences for some tokens, it is also possible to
> accept a token with no audience as well. This is an opt-in only feature that
> requires the admin to configure "NONE" as an acceptable audience claim. This
> will pass when there are no audiences in the token or even if there is one
> called "NONE". Again, this will be revisited in the future and done better.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
