[
https://issues.apache.org/jira/browse/SOLR-15423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357377#comment-17357377
]
Jan Høydahl commented on SOLR-15423:
------------------------------------
This is now ready for final review. We're now spinning up a Mock Oauth server
for testing end-to-end and also validating that the SSL cert of the mock Oauth
server is actually trusted by the supplied PEM cert(s).
> JWTAuthPlugin support for custom truststore
> -------------------------------------------
>
> Key: SOLR-15423
> URL: https://issues.apache.org/jira/browse/SOLR-15423
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Attachments: jwt-refguide.png
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> The JWT plugin performs outbound HTTPS traffic to Identity Provider (IdP) to
> fetch signing keys. If that IdP has a custom SSL certificate not signed by
> any of the root certs shipping with Java, then we need to add its certificate
> to Jetty/Java's TrustStore to tell Solr that it should trust the self-signed
> cert of the IdP.
> In the k8s world it is quite common to terminate SSL in a mesh network
> outside applications or in the ingress controller. This won't work with the
> use case discussed above, since Jetty's TrustStore is not enabled at all when
> Solr is running in non-SSL mode.
> The proposal is to let JWT manage its own TrustStore by configuration.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
