Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2527

Support HMAC signature/verification in JWT token authority

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.5.0
    • Fix Version/s: 1.6.0
    • Component/s: KnoxSSO, Server
    • Labels:
      None

      Description

      As of now, in DefaultTokenAuthorityService, the generated JWT token is signed by RSA (PKI). It would be beneficial to add support for HMAC as well so that token signature/verification would not require a keystore being set but using a secret stored via Knox's alias service. The recommended alias name is gateway.signing.hmac.secret
      To support backward compatibility, the implementation should use HMAC signature/verification only if:

      • the HMAC secret is configured via the alias service for the gateway, and
      • there is no previously pre-configured gateway.signing.keystore.name which is a clear indication of end-user preference of using PKI signatures.

      The default HMAC signing algorithm should be HS256 (HMAC using SHA-256 hash algorithm) and clients should be able to change it by already existing request parameters called knoxsso.token.sigalg or knox.token.sigalg. Other valid values are:

      • HS384 (HMAC using SHA-384 hash algorithm)
      • HS512 (HMAC using SHA-512 hash algorithm)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                smolnar Sandor Molnar
                Reporter:
                smolnar Sandor Molnar
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 50m
                  1h 50m