[
https://issues.apache.org/jira/browse/SOLR-13734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16930623#comment-16930623
]
Jason Gerlowski commented on SOLR-13734:
----------------------------------------
What's the purpose of the distinction between the "primary" issuer and the
secondary issuers under the {{issuers}} key? I imagine the "primary" issuer is
just kept around for back-compat purposes? If it's just for back-compat, I
understand it needs to be done, but it's a shame. The JSON would be easier to
understand (IMO) if everything lived under the new {{issuers}} key post-9.0.
Would it be possible to mark {{iss}}, {{jwkUrl}} etc as deprecated outside of
the {{issuers}} hash in this PR? That'd make it easier to get to the cleaner
alternative at some point down the road...
> JWTAuthPlugin to support multiple issuers
> -----------------------------------------
>
> Key: SOLR-13734
> URL: https://issues.apache.org/jira/browse/SOLR-13734
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Labels: JWT, authentication, pull-request-available
> Fix For: 8.3
>
> Attachments: jwt-authentication-plugin.html
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In some large enterprise environments, there is more than one [Identity
> Provider|https://en.wikipedia.org/wiki/Identity_provider] to issue tokens for
> users. The equivalent example from the public internet is logging in to a
> website and choose between multiple pre-defined IdPs (such as Google, GitHub,
> Facebook etc) in the Oauth2/OIDC flow.
> In the enterprise the IdPs could be public ones but most likely they will be
> private IdPs in various networks inside the enterprise. Users will interact
> with a search application, e.g. one providing enterprise wide search, and
> will authenticate with one out of several IdPs depending on their local
> affiliation. The search app will then request an access token (JWT) for the
> user and issue requests to Solr using that token.
> The JWT plugin currently supports exactly one IdP. This JIRA will extend
> support for multiple IdPs for access token validation only. To limit the
> scope of this Jira, Admin UI login must still happen to the "primary" IdP.
> Supporting multiple IdPs for Admin UI login can be done in followup issues.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
