bharos commented on issue #10565: URL: https://github.com/apache/gravitino/issues/10565#issuecomment-4140050699
The routing approach follows two established standards: 1. RFC 7519 §4.1.1 — the iss (issuer) claim is the standard identifier for which authorization server issued a token. Using it to select the correct JWKS endpoint is the natural, spec-compliant approach. 2. OpenID Connect Core 1.0 §3.1.3.7 — ID Token validation MUST verify iss matches the expected issuer, and each issuer publishes its jwks_uri via OIDC Discovery. Our implementation is a direct application of this: one entry per issuer, each mapped to its own jwks_uri. This pattern is also precedent in major frameworks — Spring Security's [JwtIssuerAuthenticationManagerResolver](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.html) does exactly this: route by iss claim to the correct JWT decoder per issuer, which they call "multi-tenancy" support. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
