[
https://issues.apache.org/jira/browse/SOLR-12121?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16604997#comment-16604997
]
Jan Høydahl commented on SOLR-12121:
------------------------------------
Pushed new commits to PR:
* Support for well-known opened-connect config endpoint
** This will configure {{jwkUrl}} automatically and also set {{iss}} from the
config
* Support for {{clientId}} config, which will automatically set {{aud}} config
to require cliendId as audience
* Support for {{scope}} config, with a list of valid scopes. If access token
does not contain any of them, the request fails
* Use camelCase for param names, as for BasicAuth, e.g. {{blockUnknown}}
instead of {{block_unknown}}
* Validate config and fail if unknown params given
* Enable config-edit API, using {{set-property}}
* Provide an introspection spec
* Update refGuide
* Cleaned up tests
So far I'm documenting that there is *no* support for setting JWT header from
SolrJ, and no support for using bin/solr with a JWT auth enabled cluster. I'll
tackle that in followup issues.
> JWT Authentication plugin
> -------------------------
>
> Key: SOLR-12121
> URL: https://issues.apache.org/jira/browse/SOLR-12121
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: master (8.0)
>
> Attachments: image-2018-08-27-13-04-04-183.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> A new Authentication plugin that will accept a [Json Web
> Token|https://en.wikipedia.org/wiki/JSON_Web_Token] (JWT) in the
> Authorization header and validate it by checking the cryptographic signature.
> The plugin will not perform the authentication itself but assert that the
> user was authenticated by the service that issued the JWT token.
> JWT defined a number of standard claims, and user principal can be fetched
> from the {{sub}} (subject) claim and passed on to Solr. The plugin will
> always check the {{exp}} (expiry) claim and optionally enforce checks on the
> {{iss}} (issuer) and {{aud}} (audience) claims.
> The first version of the plugin will only support RSA signing keys and will
> support fetching the public key of the issuer through a [Json Web
> Key|https://tools.ietf.org/html/rfc7517] (JWK) file, either from a https URL
> or from local file.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
