[
https://issues.apache.org/jira/browse/SOLR-13070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434740#comment-17434740
]
Jan Høydahl edited comment on SOLR-13070 at 10/27/21, 8:45 AM:
---------------------------------------------------------------
I think the scope of this should not be to let SolrJ act as a full-blown OIDC
client.
Rather, a typical use case is for federated security, that a user has logged in
with OIDC to some application in the enterprise, and then clicks a serach
button, whereupon the user's JWT token is passed along to the API backend that
talks to Solr using SolrJ. So the only thing SolrJ needs to do is have a way to
relay that JWT to Solr.
With "generic" i mean: SolrRequest has hard-coded methods to set BasicAuth
credentials
([https://github.com/apache/solr/blob/main/solr/solrj/src/java/org/apache/solr/client/solrj/SolrRequest.java#L107:L118)]
and instead of adding another set of methods "setJWTCredentials()" etc, we
should refactor into e.g. "setAuthorizationHeader()" or something, optionally
with helper methods to generate the Basic bas64-string based on user/pass.
Also, a distributed request in Solr does not copy Http headers onto the next
stage, so once you shard out, the header is lost, and we have other means of
transferring credentials, or fallback to PKI.
was (Author: janhoy):
I think the scope of this should not be to let SolrJ act as a full-blown OIDC
client.
Rather, a typical use case is for federated security, that a user has logged in
with OIDC to some application in the enterprise, and then clicks a serach
button, whereupon the user's JWT token is passed along to the API backend that
talks to Solr using SolrJ. So the only thing SolrJ needs to do is have a way to
relay that JWT to Solr.
With "generic" i mean: SolrRequest has hard-coded methods to set BasicAuth
credentials
([https://github.com/apache/solr/blob/main/solr/solrj/src/java/org/apache/solr/client/solrj/SolrRequest.java#L107:L118)]
and instead of adding another set of methods "setJWTCredentials()" etc, we
should refactor into e.g. "setAuthorizationHeader()" or something. Also, a
distributed request in Solr does not copy Http headers onto the next stage, so
once you shard out, the header is lost, and we have other means of transferring
credentials, or fallback to PKI.
> Add JWT Auth support in SolrJ
> -----------------------------
>
> Key: SOLR-13070
> URL: https://issues.apache.org/jira/browse/SOLR-13070
> Project: Solr
> Issue Type: Improvement
> Components: SolrJ
> Reporter: Jan Høydahl
> Assignee: Timothy Potter
> Priority: Major
>
> When SOLR-12121 is done, we should add a way for SolrJ clients to add the
> correct Authorization header for requests in order to pass the token in the
> Authorization header.
> This should be a generic solution, not just a new {{setJwtCredentials}} on
> SolrRequest.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
