[jira] [Commented] (SOLR-13734) JWTAuthPlugin to support multiple issuers

Fri, 06 Sep 2019 02:39:30 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924087#comment-16924087
 ] 

Jan Høydahl commented on SOLR-13734:
------------------------------------

PR [#860|https://github.com/apache/lucene-solr/pull/860] submitted, feedback 
welcome.

I chose a JSON Array instead of Object for the 'issuers' config, and instead 
require the 'name' key in that object. See also commit messages in the PR for 
details of the changes.

> JWTAuthPlugin to support multiple issuers
> -----------------------------------------
>
>                 Key: SOLR-13734
>                 URL: https://issues.apache.org/jira/browse/SOLR-13734
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>              Labels: JWT, authentication
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In some large enterprise environments, there is more than one [Identity 
> Provider|https://en.wikipedia.org/wiki/Identity_provider] to issue tokens for 
> users. The equivalent example from the public internet is logging in to a 
> website and choose between multiple pre-defined IdPs (such as Google, GitHub, 
> Facebook etc) in the Oauth2/OIDC flow.
> In the enterprise the IdPs could be public ones but most likely they will be 
> private IdPs in various networks inside the enterprise. Users will interact 
> with a search application, e.g. one providing enterprise wide search, and 
> will authenticate with one out of several IdPs depending on their local 
> affiliation. The search app will then request an access token (JWT) for the 
> user and issue requests to Solr using that token.
> The JWT plugin currently supports exactly one IdP. This JIRA will extend 
> support for multiple IdPs for access token validation only. To limit the 
> scope of this Jira, Admin UI login must still happen to the "primary" IdP. 
> Supporting multiple IdPs for Admin UI login can be done in followup issues.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to