[
https://issues.apache.org/jira/browse/KNOX-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672098#comment-16672098
]
Kevin Risden edited comment on KNOX-1549 at 11/1/18 7:57 PM:
-------------------------------------------------------------
* Currently all JWT tokens from KnoxSSO are being signed by the gateway private
key
** [KnoxSSO calls Token
service|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L225]
to get token
** Token service is already [signing each
token|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L146]
** [Signing key alias and
passphrase|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L161]
fall back to gateway defaults
** [Signing keystore is assumed to be a
file|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L146]
* Changes required
** Add configurations to WebSSOResource for:
*** signingKeyPassphrase
*** signingKeyAlias
*** signingKeystorePath
** Add TokenService support issuing token with custom signingKeyPassphrase,
signingKeyAlias, signingKeystorePath
*** Need to add an issueToken method taking the additional arguments
** Add KeystoreService support for custom signingKeystorePath
*** Need to add a getSigningKey method taking additional argument
was (Author: risdenk):
* Currently all JWT tokens from KnoxSSO are being signed by the gateway private
key
* [KnoxSSO calls Token
service|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L225]
to get token
* Token service is already [signing each
token|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L146]
* [Signing key alias and
passphrase|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L161]
fall back to gateway defaults
* [Signing keystore is assumed to be a
file|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L146]
* Changes required
* Add configurations to WebSSOResource for:
** signingKeyPassphrase
** signingKeyAlias
** signingKeystorePath
* Add TokenService support issuing token with custom signingKeyPassphrase,
signingKeyAlias, signingKeystorePath
** Need to add an issueToken method taking the additional arguments
* Add KeystoreService support for custom signingKeystorePath
** Need to add a getSigningKey method taking additional argument
> KnoxSSO should support signing keys per topology
> ------------------------------------------------
>
> Key: KNOX-1549
> URL: https://issues.apache.org/jira/browse/KNOX-1549
> Project: Apache Knox
> Issue Type: New Feature
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Fix For: 1.3.0
>
>
> Currently KnoxSSO signs all tokens with the gateway private key. This should
> be configurable to have separate signing keys per topology.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
