kparisa commented on issue #1762: URL: https://github.com/apache/iggy/issues/1762#issuecomment-3793976261
@Tyooughtul At high-level, it's in the right direction. Adding JWT auth to Iggy is anyways a good feature. I'd recommend supporting multiple issuers. A2A ecosystems are often multi-tenant. You might have agents from Google Cloud (Google Identity) and agents from a partner (Okta/Auth0) interacting on the same bus. So, instead of a single jwks_url, consider a list of trusted issuers in the config, each with its own jwks_url and an audience check. Also, You cannot fetch the JWKS from the Auth Server on every incoming connection or message. So, we'd need to implement a Caching Strategy with a Time-to-Live (TTL) respecting the headers from the Auth Server. And If a token signature fails, Iggy should attempt a "lazy refresh" of the JWKS before rejecting the request, just in case the server rotated keys recently. After this, we can use A2A's async/PubSub mode? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
