Philip Zampino created KNOX-3073:
------------------------------------
Summary: Token verification fallback to Knox keys behavior should
configurable
Key: KNOX-3073
URL: https://issues.apache.org/jira/browse/KNOX-3073
Project: Apache Knox
Issue Type: Improvement
Components: Server
Reporter: Philip Zampino
Assignee: Philip Zampino
KNOX-3040
ntroduced support for multiple token verification mechanisms (i.e., PEM, jwks)
for the same topology (provider instance), falling back to Knox's own signing
and TLS keys if any of those configured should fail.
This behavior may not be expected by some, and we should provide the ability to
control the fallback to the Knox keys.
To support deployments expecting the previous behavior, there should be a
provider param for indicating that the new fall-back behavior is desired (e.g.,
instance-keys-fallback=true), which defaults to false.
Default Behavior:
* Neither PEM nor jwks URL(s) is configured, attempt verification using (in
order)
** Knox's signing key
** Knox's TLS key
* Only PEM is configured: Knox will attempt verification using ONLY the
configured PEM
* Only jwks URL(s) are configured: Knox will attempt verification using ONLY
the configured jwks URL(s)
* PEM AND jwks URL(s) are configured: Knox will attempt verification using
ONLY (in order)
** The configured PEM
** The configured jwks URL(s).
instance-keys-fallback=true Behavior:
* Same as default behavior except that in the cases where PEM and/or jwks
URL(s) are configured and fail to verify, Knox will subsequently attempt
verification using (in order):
** Knox's signing key
** Knox's TLS key
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
