[jira] [Commented] (SOLR-12121) JWT Authentication plugin

Thu, 11 Apr 2019 13:51:17 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-12121?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16815771#comment-16815771
 ] 

Jan Høydahl commented on SOLR-12121:
------------------------------------

I'd like to push an improvement to this (unreleased) feature, which is to 
refresh JWK set from IdP if JWT signature validation fails.

Since JWKs are cached for 60 minutes by default, a JWK key rotation at the IdP 
may cause new JWT tokens to be signed by a new key not yet fetched by the 
plugin. With the current plugin, the request will fail.

The improvement will instead attempt a JWK refresh from IdP (on signature 
validation failure only), and re-validate signature. Thus we'll support JWK 
rotation on IdP without users noticing, since refresh is triggered in the 
background.

> JWT Authentication plugin
> -------------------------
>
>                 Key: SOLR-12121
>                 URL: https://issues.apache.org/jira/browse/SOLR-12121
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>             Fix For: 8.1
>
>         Attachments: image-2018-08-27-13-04-04-183.png
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> A new Authentication plugin that will accept a [Json Web 
> Token|https://en.wikipedia.org/wiki/JSON_Web_Token] (JWT) in the 
> Authorization header and validate it by checking the cryptographic signature. 
> The plugin will not perform the authentication itself but assert that the 
> user was authenticated by the service that issued the JWT token.
> JWT defined a number of standard claims, and user principal can be fetched 
> from the {{sub}} (subject) claim and passed on to Solr. The plugin will 
> always check the {{exp}} (expiry) claim and optionally enforce checks on the 
> {{iss}} (issuer) and {{aud}} (audience) claims.
> The first version of the plugin will only support RSA signing keys and will 
> support fetching the public key of the issuer through a [Json Web 
> Key|https://tools.ietf.org/html/rfc7517] (JWK) file, either from a https URL 
> or from local file.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to