[KNOX-1067] Support different signature algorithms for JWTs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.14.0
Component/s: None
Labels:
None

Description

Right now, the Knox SSO and Token services can only issue tokens signed with RS256. This task is to support a wider range of signature algorithms.

The following changes are proposed:

a) The Knox Token Service has a new configuration parameter "knox.token.sigalg" which defaults to "RS256".
b) The Knox SSO Service has a new configuration parameter "knoxsso.token.sigalg" which defaults to "RS256".
c) The DefaultTokenAuthorityService checks the signing algorithm against a pre-defined list, which is all of the RSA algorithms (RS* and PS*) from the JWA spec.
d) The JWTFederationFilter + the SSOCookieFederationFilter have a new configuration parameter "jwt.expected.sigalg" which defaults to "RS256". The received token must be signed with the algorithm that is configured for this value.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-KNOX-1067-Support-different-signature-algorithms-for.patch
16/Oct/17 11:27
51 kB
Colm O hEigeartaigh

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Colm O hEigeartaigh

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 26/Sep/17 10:41

Updated:: 28/Mar/19 14:07

Resolved:: 16/Oct/17 14:41