[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

Fri, 08 Nov 2024 13:58:42 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896801#comment-17896801
 ] 

ASF subversion and git services commented on KNOX-3073:
-------------------------------------------------------

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/master from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> ---------------------------------------------------------------------
>
>                 Key: KNOX-3073
>                 URL: https://issues.apache.org/jira/browse/KNOX-3073
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Philip Zampino
>            Assignee: Philip Zampino
>            Priority: Major
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to