[jira] [Commented] (KNOX-3052) Allow Multiple Issuers and JWTs with no Audience in same Topology as Others

Tue, 22 Apr 2025 23:02:01 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-3052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17946614#comment-17946614
 ] 

ASF subversion and git services commented on KNOX-3052:
-------------------------------------------------------

Commit 281f3a589bd22b5d012e10e38c5016936b9fa8f9 in knox's branch 
refs/heads/dependabot/maven/commons-io-commons-io-2.14.0 from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=281f3a589 ]

KNOX-3052: Allow Multiple Issuers and JWTs with no Audience in same Topology as 
Others (#1006)



> Allow Multiple Issuers and JWTs with no Audience in same Topology as Others
> ---------------------------------------------------------------------------
>
>                 Key: KNOX-3052
>                 URL: https://issues.apache.org/jira/browse/KNOX-3052
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> While we have a change to introduce the ability to use multiple JWKS Urls to 
> verify a token signature, without this change any tokens would need to have 
> the same Issuer. This isn't ideal and limits the flexibility that we are 
> looking for.
> This change is only an iteration beyond that approach but still not ideal. We 
> will want to have a better isolation of the expected claims, algorithms, etc 
> - per token. This will suffice for now but we will revisit it in the near 
> future for better isolation.
> Here we will simply change the expectedIssuers param to be a List of Strings 
> from a comma separated list and introduce a keyword "NONE" to indicate even 
> though there are expected audiences for some tokens, it is also possible to 
> accept a token with no audience as well. This is an opt-in only feature that 
> requires the admin to configure "NONE" as an acceptable audience claim. This 
> will pass when there are no audiences in the token or even if there is one 
> called "NONE". Again, this will be revisited in the future and done better.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to