[ https://issues.apache.org/jira/browse/SOLR-13734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924154#comment-16924154 ]
Jan Høydahl commented on SOLR-13734: ------------------------------------ Sample {{security.json}} with the new syntax: {code:javascript} { "authentication": { "class": "solr.JWTAuthPlugin", "scope": "solr:read solr:write solr:admin", "issuers": [ { "name": "myMainIssuer", "iss": "https://mainIdp/", "aud": "solr", "jwkUrl": ["https://mainIdp/jwk-endpoint1", "https://mainIdp/jwk-endpoint2"] }, { "name": "myExtraIssuer", "wellKnownUrl": "https://extraIdp/.well-known/openid-configuration" } ] } }{code} This syntax makes the configuration easier to read and can be used for configuring any number of issuers. Note that the old syntax of configuring 'its', 'wellKnownUrl' etc as top-level JSON keys still works for back-compat but will generate a log warning. > JWTAuthPlugin to support multiple issuers > ----------------------------------------- > > Key: SOLR-13734 > URL: https://issues.apache.org/jira/browse/SOLR-13734 > Project: Solr > Issue Type: New Feature > Security Level: Public(Default Security Level. Issues are Public) > Components: security > Reporter: Jan Høydahl > Assignee: Jan Høydahl > Priority: Major > Labels: JWT, authentication > Time Spent: 10m > Remaining Estimate: 0h > > In some large enterprise environments, there is more than one [Identity > Provider|https://en.wikipedia.org/wiki/Identity_provider] to issue tokens for > users. The equivalent example from the public internet is logging in to a > website and choose between multiple pre-defined IdPs (such as Google, GitHub, > Facebook etc) in the Oauth2/OIDC flow. > In the enterprise the IdPs could be public ones but most likely they will be > private IdPs in various networks inside the enterprise. Users will interact > with a search application, e.g. one providing enterprise wide search, and > will authenticate with one out of several IdPs depending on their local > affiliation. The search app will then request an access token (JWT) for the > user and issue requests to Solr using that token. > The JWT plugin currently supports exactly one IdP. This JIRA will extend > support for multiple IdPs for access token validation only. To limit the > scope of this Jira, Admin UI login must still happen to the "primary" IdP. > Supporting multiple IdPs for Admin UI login can be done in followup issues. -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org