[ https://issues.apache.org/jira/browse/SOLR-13070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434551#comment-17434551 ]
Timothy Potter commented on SOLR-13070: --------------------------------------- Specifically, what do you mean by a "generic" solution [~janhoy]? As I see it, the SolrJ client side will need to be configured with an OIDC wellKnownUrl, clientId, and clientSecret and then use the {{client_credentials}} grant type to obtain a JWT from the configured provider's token endpoint. Suppose we don't need a library to parse the JSON response from the wellKnownUrl. Once the client has a JWT, it should cache it and send it as a {{Bearer}} token for all requests to Solr. The JWT ends up being mostly opaque to the SolrJ client side other than needing to handle expiration. Ideally, it wouldn't even need to worry about parsing the JWT to get the expiration time (so no need to add a new dependency to SolrJ) and instead just handle a token expired exception back from the server as an indication it needs to renew the cached token. There's also the question of whether the OIDC provider's CA is trusted? I would just require users to add the CA cert to the truststore already supported by SolrJ vs. having yet another truststore location to configure ... but I'm open to either in this regard. > Add JWT Auth support in SolrJ > ----------------------------- > > Key: SOLR-13070 > URL: https://issues.apache.org/jira/browse/SOLR-13070 > Project: Solr > Issue Type: Improvement > Components: SolrJ > Reporter: Jan Høydahl > Assignee: Timothy Potter > Priority: Major > > When SOLR-12121 is done, we should add a way for SolrJ clients to add the > correct Authorization header for requests in order to pass the token in the > Authorization header. > This should be a generic solution, not just a new {{setJwtCredentials}} on > SolrRequest. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org