[jira] [Commented] (HADOOP-11717) Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth

Sun, 15 Mar 2015 15:37:03 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362602#comment-14362602
 ] 

Haohui Mai commented on HADOOP-11717:
-------------------------------------

I'm not an expert in the area, but got a couple questions and would appreciate 
some explanations:

* How far off if I need to implement the OAuth 2.0 protocol?
* Does it mean that JWT tokens are the format of auth cookie in Hadoop SSO 
cases? Many SSO implementation talks the OAuth 2.0, it doesn't seem that it 
specifies the token has to be in JSON.
* Can you separate the mechanism (if there're no authentication token, then 
redirect) and the real implementation (JWT tokens)? I don't really follow why 
RSA / PEM are required if SSO is the end-goal -- looks like that only integrity 
is required here, and a simple HMAC would work as what we did in Hadoop 
delegation token.

Thanks.

> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
>                 Key: HADOOP-11717
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11717
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>         Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch, 
> HADOOP-11717-3.patch
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler 
> will redirect to when there is no hadoop.auth cookie and no JWT token found 
> in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many 
> SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for 
> compromised use
> This will introduce the use of nimbus-jose-jwt library for processing, 
> validating and parsing JWT tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to