[
https://issues.apache.org/jira/browse/KNOX-3140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino resolved KNOX-3140.
----------------------------------
Resolution: Not A Bug
It turns out that this behavior is necessary to support renewal/revocation of
server-managed tokens without the ability to distinguish between an unmanaged
JWT and a server-managed token which has expired/purged or been revoked (i.e.,
no longer has any associated metadata).
> JWTProvider requires metadata for bearer tokens if server-managed is true
> -------------------------------------------------------------------------
>
> Key: KNOX-3140
> URL: https://issues.apache.org/jira/browse/KNOX-3140
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.2.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
>
> If the JWTProvider server-managed param is set to true, then when validating
> a bearer token, it requires that the token be server-managed (i.e., have
> metadata in the token state service). While bearer tokens may optionally have
> server-managed state, they should not be required to have it, and should be
> able to be validated/verified without it.
> This requirement appears to be due to the, what should be optional,
> server-managed expiration, which throws an UnknownTokenException if the JWT
> was issued by a KNOXTOKEN service with server-managed=false.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
