[jira] [Commented] (SOLR-13070) Add JWT Auth support in SolrJ

Tue, 26 Oct 2021 13:14:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434551#comment-17434551
 ] 

Timothy Potter commented on SOLR-13070:
---------------------------------------

Specifically, what do you mean by a "generic" solution [~janhoy]? 

As I see it, the SolrJ client side will need to be configured with an OIDC 
wellKnownUrl, clientId, and clientSecret and then use the 
{{client_credentials}} grant type to obtain a JWT from the configured 
provider's token endpoint. Suppose we don't need a library to parse the JSON 
response from the wellKnownUrl. Once the client has a JWT, it should cache it 
and send it as a {{Bearer}} token for all requests to Solr. The JWT ends up 
being mostly opaque to the SolrJ client side other than needing to handle 
expiration. Ideally, it wouldn't even need to worry about parsing the JWT to 
get the expiration time (so no need to add a new dependency to SolrJ) and 
instead just handle a token expired exception back from the server as an 
indication it needs to renew the cached token.

There's also the question of whether the OIDC provider's CA is trusted? I would 
just require users to add the CA cert to the truststore already supported by 
SolrJ vs. having yet another truststore location to configure ... but I'm open 
to either in this regard.

> Add JWT Auth support in SolrJ
> -----------------------------
>
>                 Key: SOLR-13070
>                 URL: https://issues.apache.org/jira/browse/SOLR-13070
>             Project: Solr
>          Issue Type: Improvement
>          Components: SolrJ
>            Reporter: Jan Høydahl
>            Assignee: Timothy Potter
>            Priority: Major
>
> When SOLR-12121 is done, we should add a way for SolrJ clients to add the 
> correct Authorization header for requests in order to pass the token in the 
> Authorization header.
> This should be a generic solution, not just a new {{setJwtCredentials}} on 
> SolrRequest.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to