[jira] [Work logged] (KNOX-3052) Allow Multiple Issuers and JWTs with no Audience in same Topology as Others

Wed, 19 Mar 2025 16:04:05 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3052?focusedWorklogId=962615&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-962615
 ]

ASF GitHub Bot logged work on KNOX-3052:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Mar/25 23:03
            Start Date: 19/Mar/25 23:03
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on PR #926:
URL: https://github.com/apache/knox/pull/926#issuecomment-2738425905

   This is a more complete version of https://github.com/apache/knox/pull/926, 
addressing some test issues therewith.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 962615)
    Time Spent: 50m  (was: 40m)

> Allow Multiple Issuers and JWTs with no Audience in same Topology as Others
> ---------------------------------------------------------------------------
>
>                 Key: KNOX-3052
>                 URL: https://issues.apache.org/jira/browse/KNOX-3052
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> While we have a change to introduce the ability to use multiple JWKS Urls to 
> verify a token signature, without this change any tokens would need to have 
> the same Issuer. This isn't ideal and limits the flexibility that we are 
> looking for.
> This change is only an iteration beyond that approach but still not ideal. We 
> will want to have a better isolation of the expected claims, algorithms, etc 
> - per token. This will suffice for now but we will revisit it in the near 
> future for better isolation.
> Here we will simply change the expectedIssuers param to be a List of Strings 
> from a comma separated list and introduce a keyword "NONE" to indicate even 
> though there are expected audiences for some tokens, it is also possible to 
> accept a token with no audience as well. This is an opt-in only feature that 
> requires the admin to configure "NONE" as an acceptable audience claim. This 
> will pass when there are no audiences in the token or even if there is one 
> called "NONE". Again, this will be revisited in the future and done better.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to