[ https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896815#comment-17896815 ]
ASF subversion and git services commented on KNOX-3073: ------------------------------------------------------- Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/multi-9f37c16f8f from Philip Zampino [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ] KNOX-3073 - Token verification fallback to Knox keys behavior should configurable (#949) > Token verification fallback to Knox keys behavior should configurable > --------------------------------------------------------------------- > > Key: KNOX-3073 > URL: https://issues.apache.org/jira/browse/KNOX-3073 > Project: Apache Knox > Issue Type: Improvement > Components: Server > Reporter: Philip Zampino > Assignee: Philip Zampino > Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > KNOX-3040 > ntroduced support for multiple token verification mechanisms (i.e., PEM, > jwks) for the same topology (provider instance), falling back to Knox's own > signing and TLS keys if any of those configured should fail. > This behavior may not be expected by some, and we should provide the ability > to control the fallback to the Knox keys. > To support deployments expecting the previous behavior, there should be a > provider param for indicating that the new fall-back behavior is desired > (e.g., instance-keys-fallback=true), which defaults to false. > Default Behavior: > * Neither PEM nor jwks URL(s) is configured, attempt verification using (in > order) > ** Knox's signing key > ** Knox's TLS key > * Only PEM is configured: Knox will attempt verification using ONLY the > configured PEM > * Only jwks URL(s) are configured: Knox will attempt verification using ONLY > the configured jwks URL(s) > * PEM AND jwks URL(s) are configured: Knox will attempt verification using > ONLY (in order) > ** The configured PEM > ** The configured jwks URL(s). > instance-keys-fallback=true Behavior: > * Same as default behavior except that in the cases where PEM and/or jwks > URL(s) are configured and fail to verify, Knox will subsequently attempt > verification using (in order): > ** Knox's signing key > ** Knox's TLS key > -- This message was sent by Atlassian Jira (v8.20.10#820010)