[
https://issues.apache.org/jira/browse/IMPALA-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17829673#comment-17829673
]
Jason Fehr commented on IMPALA-12558:
-------------------------------------
If the "alg" field exists on the JWK, it must be used. If the "alg" field is
missing from the JWK, then use the "alg" field from the JWT.
Impala only supports JWTs encoded as the payload of a JSON Web Signature (JWS)
structure. The "alg" field is required in the headers of JWS structures --
https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1
Note: if the "alg" field is set to "none", the JWT must be rejected.
> JSON Web Keys (JWK) Require the Optional alg Property
> -----------------------------------------------------
>
> Key: IMPALA-12558
> URL: https://issues.apache.org/jira/browse/IMPALA-12558
> Project: IMPALA
> Issue Type: Bug
> Components: be, Security
> Reporter: Jason Fehr
> Assignee: gaurav singh
> Priority: Critical
> Labels: JWT, jwt, security
>
> According to the [JWK
> RFC|https://datatracker.ietf.org/doc/html/rfc7517#section-4.4], the "alg"
> property is optional on JWKs.
> Update Impala so that the "alg" property is no longer required on the JWKs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
