[
https://issues.apache.org/jira/browse/KNOX-2149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16995004#comment-16995004
]
Neeraj Verma commented on KNOX-2149:
------------------------------------
Yes , It correct . I created branch locally from master and did cherry-pick my
commits to that new branch (KNOX-2149) locally.
when i am trying to push getting permission deny error.
git clone https://github.com/apache/knox.git
git checkout -b KNOX-2149
// Apply my changes
git add .
git commit -m "KNOX-2149 - Added JWT OIDC Verification based on JWKS Urls and
extract custom claim"
git push --set-upstream origin KNOX-2149
Username for 'https://github.com': nxverma
Password for 'https://nxve...@github.com':
remote: Permission to apache/knox.git denied to nxverma.
fatal: unable to access 'https://github.com/apache/knox.git/': The requested
URL returned error: 403
> Knox JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS
> verification url
> ---------------------------------------------------------------------------------------------
>
> Key: KNOX-2149
> URL: https://issues.apache.org/jira/browse/KNOX-2149
> Project: Apache Knox
> Issue Type: New Feature
> Components: KnoxSSO
> Reporter: Saravanan Sathyamoorthy
> Assignee: Saravanan Sathyamoorthy
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Current capability in Apache Knox -
> Knox has pac4j provider
> ([https://knox.apache.org/books/knox-0-12-0/user-guide.html#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect])
> that provides OIDC support (
> [https://knox.apache.org/books/knox-0-12-0/user-guide.html#For+OpenID+Connect+support:])
> However this only works for UI applications.
> For REST API -> we need to use JWT token provider (
> [https://knox.apache.org/books/knox-0-12-0/user-guide.html#JWT+Provider])
> that takes .pem file ( certificate with public key to decrypt the token) as
> argument.
> Implementation class ->
> [https://github.com/apache/knox/blob/master/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java]
> - takes (public static final String SSO_VERIFICATION_PEM =
> "sso.token.verification.pem" ) as argument.
> This .pem file is parsed to get the public key to validate the token.
> // token verification pem
> String verificationPEM =
> filterConfig.getInitParameter(SSO_VERIFICATION_PEM);
> // setup the public key of the token issuer for verification
> if (verificationPEM != null) {
> publicKey = CertificateUtils.parseRSAPublicKey(verificationPEM);
> }
>
> .Resolution:
> Option 1 - We can change the code to pass the public key and use it for
> token validation. Down side is every time we change the key there should be a
> Knox config change.
> Option 2 - We can change the code to pass the JWKS verification url and if a
> key is changed - no knox config change is required. Change done to support
> using JWKS verification url to validate the token :
> We selected Option 2 to make things more robust.
> Class JWTFederationFilter was changed to get an additional parameter (JWKS
> verification url) and code to use this url to get the public key and then use
> this to validate the token. This approach will make it easy to maange for key
> rotation.
> Library used is - [https://github.com/okta/okta-jwt-verifier-java]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
