As of now, in DefaultTokenAuthorityService, the generated JWT token is signed by RSA (PKI). It would be beneficial to add support for HMAC as well so that token signature/verification would not require a keystore being set but using a secret stored via Knox's alias service. The recommended alias name is gateway.signing.hmac.secret
To support backward compatibility, the implementation should use HMAC signature/verification only if:
- the HMAC secret is configured via the alias service for the gateway, and
- there is no previously pre-configured gateway.signing.keystore.name which is a clear indication of end-user preference of using PKI signatures.
The default HMAC signing algorithm should be HS256 (HMAC using SHA-256 hash algorithm) and clients should be able to change it by already existing request parameters called knoxsso.token.sigalg or knox.token.sigalg. Other valid values are:
- HS384 (HMAC using SHA-384 hash algorithm)
- HS512 (HMAC using SHA-512 hash algorithm)