smolnar82 opened a new pull request, #1168: URL: https://github.com/apache/knox/pull/1168
[KNOX-3266](https://issues.apache.org/jira/browse/KNOX-3266) - Support JWKS verification in SSOCookieProvider ## What changes were proposed in this pull request? TODO ## How was this patch tested? Manual testing: 1. ran 2 Knox instances on my machine: local.knox.com on port 8443 and central.knox.com on port 8444 2. configured the `sandbox` topology in `local.knox.com` with `SSOCookieProvider` to point to `central.knox.com` when it comes to authentication and added the Admin UI app for testing. In addition to this, I added the JWKS URL of the `central.knox.com` for verification: ``` <?xml version="1.0" encoding="utf-8"?> <topology> <gateway> <provider> <role>federation</role> <name>SSOCookieProvider</name> <enabled>true</enabled> <param> <name>sso.authentication.provider.url</name> <value>http://central.knox.com:8444/gateway/sandbox/api/v1/websso</value> </param> <param> <name>sso.token.verification.jwks.urls</name> <value>http://central.knox.com:8444/gateway/sandbox/knoxtoken/api/v1/jwks.json</value> </param> <param> <name>knoxsso.cookie.domain.suffix</name> <value>.knox.com</value> </param> </provider> </gateway> <service> <role>KNOX</role> </service> <service> <role>KNOX-SESSION</role> </service> <application> <name>admin-ui</name> </application> </topology> ``` 3. Configured the `sandbox` topology with the `KNOXSSO` service on `central.knox.com`. It's important to highlight the `knoxsso.cookie.domain.suffix=.knox.com` parameter: ``` <?xml version="1.0" encoding="utf-8"?> <topology> <gateway> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> //Usual demo LDAP config here </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <application> <name>knoxauth</name> </application> <service> <role>KNOXSSO</role> <param> <name>knoxsso.cookie.secure.only</name> <value>false</value> </param> <param> <name>knoxsso.cookie.samesite</name> <value>lax</value> </param> <param> <name>knoxsso.token.ttl</name> <value>1800000</value> </param> <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/.+$</value> </param> <param> <name>knoxsso.cookie.domain.suffix</name> <value>.knox.com</value> </param> </service> <service> <role>KNOXTOKEN</role> <param> <name>knox.toke.ttl</name> <value>1</value> <!-- 1 ms, because this service is added to be able to get the JWKS URL and not for token issuance --> </param> </service> </topology> ``` 4. Hit `http://local.knox.com:8443/gateway/sandbox/admin-ui/` in my browser. After successful login with `admin/admin-password` I was redirected back to the Admin UI running on `local.knox.com`: <img width="1727" height="988" alt="image" src="https://github.com/user-attachments/assets/52bb5dba-0c67-451b-8224-ef05f124b480"; /> ## Integration Tests N/A ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
