[jira] [Work logged] (KNOX-3052) Allow Multiple Issuers and JWTs with no Audience in same Topology as Others

Thu, 17 Jul 2025 00:39:05 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3052?focusedWorklogId=974936&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-974936
 ]

ASF GitHub Bot logged work on KNOX-3052:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 17/Jul/25 07:38
            Start Date: 17/Jul/25 07:38
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on PR #926:
URL: https://github.com/apache/knox/pull/926#issuecomment-3082959116

   Closing this one because it was fixed in #1006 .




Issue Time Tracking
-------------------

    Worklog Id:     (was: 974936)
    Time Spent: 1.5h  (was: 1h 20m)

> Allow Multiple Issuers and JWTs with no Audience in same Topology as Others
> ---------------------------------------------------------------------------
>
>                 Key: KNOX-3052
>                 URL: https://issues.apache.org/jira/browse/KNOX-3052
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> While we have a change to introduce the ability to use multiple JWKS Urls to 
> verify a token signature, without this change any tokens would need to have 
> the same Issuer. This isn't ideal and limits the flexibility that we are 
> looking for.
> This change is only an iteration beyond that approach but still not ideal. We 
> will want to have a better isolation of the expected claims, algorithms, etc 
> - per token. This will suffice for now but we will revisit it in the near 
> future for better isolation.
> Here we will simply change the expectedIssuers param to be a List of Strings 
> from a comma separated list and introduce a keyword "NONE" to indicate even 
> though there are expected audiences for some tokens, it is also possible to 
> accept a token with no audience as well. This is an opt-in only feature that 
> requires the admin to configure "NONE" as an acceptable audience claim. This 
> will pass when there are no audiences in the token or even if there is one 
> called "NONE". Again, this will be revisited in the future and done better.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to