janhoy opened a new pull request, #4334: URL: https://github.com/apache/solr/pull/4334
https://issues.apache.org/jira/browse/SOLR-18211 ### Motivation `org.bitbucket.b_c:jose4j` is unmaintained — its last release was March 2024 and it is a single-maintainer project. `com.nimbusds:nimbus-jose-jwt` is a well-maintained, widely-used JOSE/JWT library that was already present as a test dependency in this module. ### Changes **`JWTIssuerConfig`** - Replace `JsonWebKeySet` / `JsonWebKey` with nimbus `JWKSet` / `JWK` - Replace `HttpsJwks` with a new inner class `JwkSetFetcher` wrapping nimbus's `ResourceRetriever` with synchronized caching and a configurable TTL - Custom `ResourceRetriever` implementation preserves existing behaviour: trusted SSL certificates and hostname verification bypass for localhost endpoints **`IssuerAwareJWSKeySelector`** (previously `JWTVerificationkeyResolver`) - Renamed to reflect the nimbus interface it now implements (`JWSKeySelector<SecurityContext>`) - Added `IssuerContext implements SecurityContext` to thread the JWT's (unverified) issuer claim from the payload to the key selector, enabling per-issuer key lookup - Key selection uses `JWKSelector` + `JWKMatcher.forJWSHeader()` to match on `kid` and algorithm **`JWTAuthPlugin`** - Replace `JwtConsumer` / `JwtConsumerBuilder` with `DefaultJWTProcessor<SecurityContext>` + `DefaultJWTClaimsVerifier` - JWT is pre-parsed (without signature verification) to extract the issuer and enforce the algorithm allowlist before full processing - Explicit issuer value validation: when at least one issuer is configured with an `iss` value, the token's issuer must match ### Testing All 65 existing tests pass unchanged (1 skipped). Passes `forbiddenApis`, `ecjLint`, `spotlessCheck`, and `validateLogCalls`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
