Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KNOX-3040 - Support multiple ways to verify JWT tokens #915

Merged
merged 2 commits into from
Jun 7, 2024

Conversation

moresandeep
Copy link
Contributor

@moresandeep moresandeep commented Jun 6, 2024

What changes were proposed in this pull request?

This PR adds the ability to validate a JWT token using multiple ways at the same time. Previously, we could only authenticate JWT token using either

  1. PEM cert
  2. JWKS url
  3. Knox signing key
    With this PR, knox will validate the incoming JWT token using all the above mechanisms if they are configured.

example provider config

<provider>
            <role>federation</role>
            <name>JWTProvider</name>
            <enabled>true</enabled>
            <param>
                <name>knox.token.use.cookie</name>
                <value>true</value>
            </param>
			
            <param>
                <name>knox.token.jwks.url</name>
                <value>https://my.idp.com/oauth/.wellknown</value>
            </param>


            <param>
                <name>knox.token.verification.pem</name>
                <value>MIIDaDCCAlCgAwIBAgIJAKFjn6W+gdAXMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNVBAYTAlVTMQ0wC...</value>
            </param>

            <param>
                <name>jwt.expected.issuer</name>
                <value>https://my.idp.com/</value>
            </param>

            <param>
                <name>knox.token.use.cookie</name>
                <value>true</value>
            </param>
        </provider>

How was this patch tested?

This patch was tested locally.

@moresandeep moresandeep requested review from lmccay and pzampino June 6, 2024 14:00
@moresandeep moresandeep merged commit 7980cda into apache:master Jun 7, 2024
2 checks passed
@moresandeep moresandeep added the JWT label Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant