[
https://issues.apache.org/jira/browse/KNOX-2732?focusedWorklogId=759113&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-759113
]
ASF GitHub Bot logged work on KNOX-2732:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Apr/22 10:50
Start Date: 20/Apr/22 10:50
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #560:
URL: https://github.com/apache/knox/pull/560#discussion_r853988760
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java:
##########
@@ -68,6 +70,10 @@ public void init( FilterConfig filterConfig ) throws
ServletException {
GatewayServices services = (GatewayServices)
filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
authority = services.getService(ServiceType.TOKEN_SERVICE);
sr = services.getService(ServiceType.SERVICE_REGISTRY_SERVICE);
+
+ this.tokenIssuer =
filterConfig.getInitParameter(JWTAccessTokenAssertionFilter.ISSUER) != null
Review Comment:
We should check for a blank string too.
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java:
##########
@@ -141,7 +147,13 @@ private String getAccessToken(final String principalName,
String serviceName, lo
JWT token;
try {
- final JWTokenAttributes jwtAttributes = new
JWTokenAttributesBuilder().setUserName(principalName).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
+ final JWTokenAttributes jwtAttributes = new JWTokenAttributesBuilder()
Review Comment:
Thanks :)
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java:
##########
@@ -55,6 +57,10 @@ public void init( FilterConfig filterConfig ) throws
ServletException {
GatewayServices services = (GatewayServices)
filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
authority = services.getService(ServiceType.TOKEN_SERVICE);
sr = services.getService(ServiceType.SERVICE_REGISTRY_SERVICE);
+
+ this.tokenIssuer =
filterConfig.getInitParameter(JWTAccessTokenAssertionFilter.ISSUER) != null
+ ?
filterConfig.getInitParameter(JWTAccessTokenAssertionFilter.ISSUER)
Review Comment:
As per RFC https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
issuer is a `principal` and not principals but could there be cases where we
might need to support multiple issuers? if not we are golden. Just wanted to
raise this.
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -242,6 +243,9 @@ public void init() throws AliasServiceException,
ServiceLifecycleException, KeyL
? true
: Boolean.parseBoolean(includeGroupsInTokenAllowedParam);
+ this.tokenIssuer = context.getInitParameter(KNOX_TOKEN_ISSUER) != null
Review Comment:
Check for blank string.
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java:
##########
@@ -42,6 +43,7 @@ public class JWTAuthCodeAssertionFilter extends
AbstractIdentityAssertionFilter
private JWTokenAuthority authority;
private ServiceRegistry sr;
+ private String tokenIssuer;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
Review Comment:
Not related to this change but we have some code duplication here with
`JWTAccessTokenAssertionFilter` We can prolly combine it into a common base
class. Not required here but would be nice.
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java:
##########
@@ -55,6 +57,10 @@ public void init( FilterConfig filterConfig ) throws
ServletException {
GatewayServices services = (GatewayServices)
filterConfig.getServletContext().getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
authority = services.getService(ServiceType.TOKEN_SERVICE);
sr = services.getService(ServiceType.SERVICE_REGISTRY_SERVICE);
+
+ this.tokenIssuer =
filterConfig.getInitParameter(JWTAccessTokenAssertionFilter.ISSUER) != null
Review Comment:
We should check for blank string.
Issue Time Tracking
-------------------
Worklog Id: (was: 759113)
Time Spent: 20m (was: 10m)
> Issuer claim in Knox JWTs should be configurable
> ------------------------------------------------
>
> Key: KNOX-2732
> URL: https://issues.apache.org/jira/browse/KNOX-2732
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.6.0
> Reporter: Philip Zampino
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This
> value should be configurable via a KNOXTOKEN service param in the topology.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
