nxverma opened a new pull request #216: KNOX-2149 - JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS verification url URL: https://github.com/apache/knox/pull/216 (It is very important that you created an Apache Knox JIRA for this change and that the PR title/commit message includes the Apache Knox JIRA ID!) https://issues.apache.org/jira/browse/KNOX-2149 **What changes were proposed in this pull request?** change the code to pass the JWKS verification url and if a key is changed - no knox config change is required. Change done to support using JWKS verification url to validate the token : Class JWTFederationFilter was changed to get an additional parameter (JWKS verification url) and code to use this url to get the public key and then use this to validate the token. This approach will make it easy to manage for key rotation. Library used is - https://github.com/okta/okta-jwt-verifier-java As part of this patch , we also extracting custom claim from JWT instead of default subject **How was this patch tested?** Patch was tested fully manual test cases. We deployed modified code version of Knox (That build on top of Knox 1.3.0) Test 1: Able to Invoke Livy endpoint to submit spark job via Knox JWT-Okta authentication Test Request: curl -kvvvvvv --request POST --url https://localhost:8443/gateway/tokenbased/livy/v1/batches --header 'accept: application/json' --header 'authorization: Bearer eyJra...dfg' --data ' {"file": "s3://aws-bigdata-blog/artifacts/aws-blog-emr-knox/spark-examples.jar", "className": "org.apache.spark.examples.SparkPi", "args": ["100"]} Test 2: Able to Invoke Knox admin rest endpoint to create knox topology and alias with JWT-Okta verification Test Request: curl -ivk -H "Authorization: Bearer eyJra...dffd" https://localjost:8443/gateway/admin/api/v1/topologies/tokenbased -X PUT -H 'Content-type: application/xml;charset=UTF-8' --data @payload-knox.json Test 3: Able to submit Hive beeline sql via Knox JWT-Okta authentication Test Request: jdbc:hive2://localhost:8443/;ssl=true;AllowSelfSignedCerts=1;AllowAllHostNames=1;sslTrustStore=/Users/abc/knox/install/knox-1.3.0/data/security/keystores/gateway.jks;;AuthMech=0;trustStorePassword=knox;transportMode=http;httpPath=gateway/tokenbased/hive;http.header.HiveAuthToken=eyJraWQiOiJp...df Sample Knox Topology : ` <?xml version="1.0" encoding="UTF-8"?> <topology> <uri>https://localhost:443/gateway/tokenbased</uri> <name>tokenbased</name> <generated>false</generated> <gateway> <provider> <role>federation</role> <name>JWTProvider</name> <enabled>true</enabled> <param> <name>jwks.thirdparty.token.verification.url</name> <value>https://test.okta.com/oauth2/aussdfgsg</value> </param> <param> <name>jwks.thirdparty.token.audience</name> <value>BigdataPlatform</value> </param> <param> <name>jwks.thirdparty.token.provider</name> <value>okta</value> </param> <param> <name>jwks.thirdparty.token.principal.claim</name> <value>empId</value> </param> <param> <name>jwt.expected.issuer</name> <value>https://test.okta.com/oauth2/aussdfgsg</value> </param> <param> <name>jwt.expected.sigalg</name> <value>RS256</value> </param> </provider> <provider> <role>hostmap</role> <name>static</name> <enabled>false</enabled> <param> <name>localhost</name> <value>localhost</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <service> <role>LIVYSERVER</role> <url>https://localhost:8998</url> </service> <service> <role>HIVE</role> <url>http://localhost:10001/cliservice</url> </service> </topology>` Please review Knox Contributing Process before opening a pull request.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
