[
https://issues.apache.org/jira/browse/KNOX-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008666#comment-17008666
]
Matei C. commented on KNOX-2146:
--------------------------------
* Matei C. - can you attach your topology with the configure PEM encoded public
key?
I've attached the Knox JWT topology I use here, but due to security reasons I
cannot share the PEM public key of my IdP
Nevertheless, I tested its format using openssl and validated that the public
key is in the correct format.
{code:java}
root@local: ~ # openssl pkey -inform PEM -pubin -in knox-pubkey.pem -noout
root@local: ~ # echo $?
0
root@local: ~ #
{code}
[^knox_jwt_topo_apache_jira.txt]
* Did you happen to remove the header and footer of it ----BEGIN
CERTIFICATE---- and ----END e CERTIFICATE----?
Yes, the headers were removed for the certificate test as well as the public
key test.
* Wait, I'm not sure what you are even trying here again. You want to verify
3rd party JWT token and it works with the PEM encoded cert for your IdP
configured within the topology. Seems that is exactly what you want to do. Why
are you then trying to configure what seems to be the Knox public key for
verifying the token from your IdP?
In short, I am trying to configure the Knox JWT topology to use the IdP's
public key to validate the tokens.
I am aware it works with a certificate as pointed out, but I have a use case in
which only a public key is available for JWT validation.
Regards,
Matei C.
> Docs: Knox JWT token signature verification using public key
> ------------------------------------------------------------
>
> Key: KNOX-2146
> URL: https://issues.apache.org/jira/browse/KNOX-2146
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
> Affects Versions: 1.0.0
> Environment: Ubuntu 18.04, HDP 3.1
> Reporter: Matei C.
> Assignee: Larry McCay
> Priority: Minor
> Fix For: 1.4.0
>
> Attachments: knox_jwt_topo_apache_jira.txt,
> knox_jwt_topo_apache_jira.txt, knox_jwt_topo_apache_jira.txt
>
>
> Hello,
> I have configured an Apache Knox (1.0.0) topology to accept 3rd party JWTs
> by following this [Cloudera
> guide|[https://community.cloudera.com/t5/Community-Articles/Knox-Accept-third-party-JWT/ta-p/248488]].
>
> I would also like to verify the 3rd party JWts based on their signature by
> adding my IdP's public key in PEM format for the JWT provider, but in the
> guide it is specified that only PEM certificates are accepted (' [...] *In
> current Knox version, public key is not supported, have to configure public
> certificate [...]*') and I have not found any relevant documentation from
> Knox on this subject.
>
> Can you please tell me if there is any solution to use public keys for JWT
> verification in Knox 1.0.0 ? If not, are there any plans to support this in
> future Knox releases ?
> P.S.:
> When adding the 'knox.token.verification.pem' parameter with the public key
> in the JWT provider of my topology I noticed the below error in my
> gateway.log, which does seem to confirm the public key limitation.
>
> {code:java}
> javax.servlet.ServletException: javax.servlet.ServletException:
> CertificateException - PEM may be corrupt
> {code}
>
> Regards,
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
