nodece opened a new issue, #18798: URL: https://github.com/apache/pulsar/issues/18798
### Motivation Usually, we use one public or secret key to verify the JWT in the Pulsar, but some user needs to use different keys to verify the JWT. This is an excellent issue to improve JWT security, the client can send the different JWT to the broker and then verify by the broker using the corresponding key. See https://github.com/apache/pulsar/issues/8152 ### Goal https://openid.net/specs/draft-jones-json-web-key-03.html defines the JSON Web Key Set (JWKS), which includes a set of public keys containing the RSA or ECDSA algorithms issued by the OAuth2 server, which is used to verify the JSON Web Token(JWT). The PIP goal adds the JWKS feature to provide the rotation of validation keys. ### API Changes _No response_ ### Implementation This feature needs to define a `tokenKeySetKey` config in the broker config file to input JWKS data to the AuthenticationProviderToken, then parse this JWKS data to generate all the keys when initing the AuthenticationProviderToken. The JWT and JWK are associated based on `kid` value, one from the JWT header, one from the JWK body. JWKS body: ``` {"keys": [ {"kty":"EC", "crv":"P-256", "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "use":"enc", "kid":"app-1"}, {"kty":"RSA", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "e":"AQAB", "alg":"RS256", "kid":"app-2"} ] } ``` JWT header: ``` { "alg": "HS256", "typ": "JWT", "kid": "app-2" } ``` ### Alternatives _No response_ ### Anything else? RP: https://github.com/apache/pulsar/pull/18336 Reference: - https://datatracker.ietf.org/doc/html/rfc7517 - https://openid.net/specs/draft-jones-json-web-key-03.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
