[GitHub] [solr] janhoy commented on a change in pull request #139: SOLR-15423 JWTAuthPlugin support for custom truststore

[GitBox]

janhoy commented on a change in pull request #139:
URL: https://github.com/apache/solr/pull/139#discussion_r645593512



##########
File path: solr/solr-ref-guide/src/jwt-authentication-plugin.adoc
##########
@@ -158,12 +161,18 @@ Let's comment on this config:
 <11> Configure the issuer id. Will be used for validating tokens. A token's 
'iss' claim must match one of the configured issuer IDs.
 <12> Configure the audience claim. A token's 'aud' claim must match 'aud' for 
one of the configured issuers.
 <13> This issuer is auto configured through discovery, so 'iss' and JWK 
settings are not required
+<14> Provides SSL certificates to trust to support self-signed SSL in the 
issuers.
 
 === Using non SSL URLs
 In production environments you should always use SSL protected HTTPS 
connections, otherwise you open yourself up to attacks.
 However, in development, it may be useful to use regular http urls, and bypass 
the
 security check that Solr performs. To support this you can set the environment 
variable `solr.auth.jwt.allowOutboundHttp=true`.
 
+=== Trusting the IdP server
+All communication with issuer server (IdP) is done over HTTPS. If the issuer 
uses a self signed SSL certificate, the connection will fail since the plugin 
enforces verification of SSL certificates on outbound traffic. By default, the 
root certificates present in Java's TrustStore (default or custom provided) are 
consulted. If you do not want to place the IdP certificates in Java's 
TrustStore, you can configure this plugin with either `trustedCertsFile` or 
`trustedCerts` options to provide a set of certificates to use when talking to 
IdP. This has the extra benefit of also working even if Solr is not started in 
SSL mode.

Review comment:
       We should probably highlight here that it could be a benefit to supply a 
PEM even if the IDP server cert is signed by a global top-level CA found in 
Java. This is because trusting only ONE specific cert is more secure that 
trusting all public certs out there :)

##########
File path: solr/core/build.gradle
##########
@@ -149,5 +149,12 @@ dependencies {
   testImplementation('org.mockito:mockito-core', {
     exclude group: "net.bytebuddy", module: "byte-buddy-agent"
   })
+  testImplementation('no.nav.security:mock-oauth2-server', {

Review comment:
       I add this as a testImpl dependency, but still I'm forced to add LICENSE 
and NOTICE files in the `licenses` folder for this and all its dependencies. 
Why is that necessary, when we do not distribute these jars, they are only used 
during tests?
   There are the new (test) deps:
   ```
   +--- no.nav.security:mock-oauth2-server -> 0.3.3
   |    +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.32
   |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.4.32
   |    |    \--- org.jetbrains:annotations:13.0
   |    +--- org.jetbrains.kotlin:kotlin-reflect:1.4.32
   |    |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.4.32 (*)
   |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (*)
   |    +--- io.github.microutils:kotlin-logging:2.0.6
   |    |    \--- io.github.microutils:kotlin-logging-jvm:2.0.6
   |    |         +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.31 -> 1.4.32 (*)
   |    |         \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.4.31 -> 
1.4.32
   |    +--- com.fasterxml.jackson.module:jackson-module-kotlin:2.12.2
   |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.2 (*)
   |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.2 (*)
   |    |    +--- org.jetbrains.kotlin:kotlin-reflect:1.4.21 -> 1.4.32 (*)
   |    |    \--- com.fasterxml.jackson:jackson-bom:2.12.2 (*)
   |    +--- org.freemarker:freemarker:2.3.31
   |    +--- com.squareup.okhttp3:mockwebserver:4.9.1
   |    |    +--- com.squareup.okhttp3:okhttp:4.9.1
   |    |    |    +--- com.squareup.okio:okio:2.8.0
   |    |    |    |    +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.0 -> 1.4.32 
(*)
   |    |    |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.4.0 -> 
1.4.32
   |    |    |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.4.10 -> 1.4.32 (*)
   |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.4.10
   |    |         +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.10 -> 1.4.32 (*)
   |    |         \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.4.10
   |    |              \--- org.jetbrains.kotlin:kotlin-stdlib:1.4.10 -> 1.4.32 
(*)
   |    \--- com.nimbusds:oauth2-oidc-sdk:9.2.3
   |         +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
   |         +--- com.nimbusds:content-type:2.1
   |         +--- net.minidev:json-smart:[1.3.1,2.3] -> 2.3
   |         |    \--- net.minidev:accessors-smart:1.2
   |         |         \--- org.ow2.asm:asm:5.0.4 -> 7.2
   |         +--- com.nimbusds:lang-tag:1.4.4
   |         \--- com.nimbusds:nimbus-jose-jwt:9.6.1
   |              \--- com.github.stephenc.jcip:jcip-annotations:1.0-1
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org