[
https://issues.apache.org/jira/browse/SOLR-13734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924154#comment-16924154
]
Jan Høydahl commented on SOLR-13734:
------------------------------------
Sample {{security.json}} with the new syntax:
{code:javascript}
{
"authentication": {
"class": "solr.JWTAuthPlugin",
"scope": "solr:read solr:write solr:admin",
"issuers": [
{
"name": "myMainIssuer",
"iss": "https://mainIdp/";,
"aud": "solr",
"jwkUrl": ["https://mainIdp/jwk-endpoint1";,
"https://mainIdp/jwk-endpoint2";]
},
{
"name": "myExtraIssuer",
"wellKnownUrl": "https://extraIdp/.well-known/openid-configuration";
}
]
}
}{code}
This syntax makes the configuration easier to read and can be used for
configuring any number of issuers. Note that the old syntax of configuring
'its', 'wellKnownUrl' etc as top-level JSON keys still works for back-compat
but will generate a log warning.
> JWTAuthPlugin to support multiple issuers
> -----------------------------------------
>
> Key: SOLR-13734
> URL: https://issues.apache.org/jira/browse/SOLR-13734
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Labels: JWT, authentication
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In some large enterprise environments, there is more than one [Identity
> Provider|https://en.wikipedia.org/wiki/Identity_provider] to issue tokens for
> users. The equivalent example from the public internet is logging in to a
> website and choose between multiple pre-defined IdPs (such as Google, GitHub,
> Facebook etc) in the Oauth2/OIDC flow.
> In the enterprise the IdPs could be public ones but most likely they will be
> private IdPs in various networks inside the enterprise. Users will interact
> with a search application, e.g. one providing enterprise wide search, and
> will authenticate with one out of several IdPs depending on their local
> affiliation. The search app will then request an access token (JWT) for the
> user and issue requests to Solr using that token.
> The JWT plugin currently supports exactly one IdP. This JIRA will extend
> support for multiple IdPs for access token validation only. To limit the
> scope of this Jira, Admin UI login must still happen to the "primary" IdP.
> Supporting multiple IdPs for Admin UI login can be done in followup issues.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
