[ https://issues.apache.org/jira/browse/SOLR-13734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16930623#comment-16930623 ]
Jason Gerlowski commented on SOLR-13734: ---------------------------------------- What's the purpose of the distinction between the "primary" issuer and the secondary issuers under the {{issuers}} key? I imagine the "primary" issuer is just kept around for back-compat purposes? If it's just for back-compat, I understand it needs to be done, but it's a shame. The JSON would be easier to understand (IMO) if everything lived under the new {{issuers}} key post-9.0. Would it be possible to mark {{iss}}, {{jwkUrl}} etc as deprecated outside of the {{issuers}} hash in this PR? That'd make it easier to get to the cleaner alternative at some point down the road... > JWTAuthPlugin to support multiple issuers > ----------------------------------------- > > Key: SOLR-13734 > URL: https://issues.apache.org/jira/browse/SOLR-13734 > Project: Solr > Issue Type: New Feature > Security Level: Public(Default Security Level. Issues are Public) > Components: security > Reporter: Jan Høydahl > Assignee: Jan Høydahl > Priority: Major > Labels: JWT, authentication, pull-request-available > Fix For: 8.3 > > Attachments: jwt-authentication-plugin.html > > Time Spent: 20m > Remaining Estimate: 0h > > In some large enterprise environments, there is more than one [Identity > Provider|https://en.wikipedia.org/wiki/Identity_provider] to issue tokens for > users. The equivalent example from the public internet is logging in to a > website and choose between multiple pre-defined IdPs (such as Google, GitHub, > Facebook etc) in the Oauth2/OIDC flow. > In the enterprise the IdPs could be public ones but most likely they will be > private IdPs in various networks inside the enterprise. Users will interact > with a search application, e.g. one providing enterprise wide search, and > will authenticate with one out of several IdPs depending on their local > affiliation. The search app will then request an access token (JWT) for the > user and issue requests to Solr using that token. > The JWT plugin currently supports exactly one IdP. This JIRA will extend > support for multiple IdPs for access token validation only. To limit the > scope of this Jira, Admin UI login must still happen to the "primary" IdP. > Supporting multiple IdPs for Admin UI login can be done in followup issues. -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org