[
https://issues.apache.org/jira/browse/KNOX-3266?focusedWorklogId=1007481&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1007481
]
ASF GitHub Bot logged work on KNOX-3266:
----------------------------------------
Author: ASF GitHub Bot
Created on: 02/Mar/26 16:49
Start Date: 02/Mar/26 16:49
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1168:
URL: https://github.com/apache/knox/pull/1168
[KNOX-3266](https://issues.apache.org/jira/browse/KNOX-3266) - Support JWKS
verification in SSOCookieProvider
## What changes were proposed in this pull request?
TODO
## How was this patch tested?
Manual testing:
1. ran 2 Knox instances on my machine: local.knox.com on port 8443 and
central.knox.com on port 8444
2. configured the `sandbox` topology in `local.knox.com` with
`SSOCookieProvider` to point to `central.knox.com` when it comes to
authentication and added the Admin UI app for testing. In addition to this, I
added the JWKS URL of the `central.knox.com` for verification:
```
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>http://central.knox.com:8444/gateway/sandbox/api/v1/websso</value>
</param>
<param>
<name>sso.token.verification.jwks.urls</name>
<value>http://central.knox.com:8444/gateway/sandbox/knoxtoken/api/v1/jwks.json</value>
</param>
<param>
<name>knoxsso.cookie.domain.suffix</name>
<value>.knox.com</value>
</param>
</provider>
</gateway>
<service>
<role>KNOX</role>
</service>
<service>
<role>KNOX-SESSION</role>
</service>
<application>
<name>admin-ui</name>
</application>
</topology>
```
3. Configured the `sandbox` topology with the `KNOXSSO` service on
`central.knox.com`. It's important to highlight the
`knoxsso.cookie.domain.suffix=.knox.com` parameter:
```
<?xml version="1.0" encoding="utf-8"?>
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
//Usual demo LDAP config here
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.cookie.samesite</name>
<value>lax</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>1800000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/.+$</value>
</param>
<param>
<name>knoxsso.cookie.domain.suffix</name>
<value>.knox.com</value>
</param>
</service>
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.toke.ttl</name>
<value>1</value> <!
Issue Time Tracking
-------------------
Worklog Id: (was: 1007481)
Remaining Estimate: 0h
Time Spent: 10m
> Allow SSO cookie verification using JWKS endpoints
> --------------------------------------------------
>
> Key: KNOX-3266
> URL: https://issues.apache.org/jira/browse/KNOX-3266
> Project: Apache Knox
> Issue Type: Improvement
> Components: KnoxSSO, Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As of today, the JWTFederation filter can be configured to verify JWT tokens
> using pre-configured JWKS endpoint(s). This feature, however, is not
> available in the SSOCookieProvider filter, which we need to add.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
