You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Kevin Risden (JIRA)" <ji...@apache.org> on 2018/11/01 19:58:00 UTC
[jira] [Comment Edited] (KNOX-1549) KnoxSSO should support signing
keys per topology
[ https://issues.apache.org/jira/browse/KNOX-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672098#comment-16672098 ]
Kevin Risden edited comment on KNOX-1549 at 11/1/18 7:57 PM:
-------------------------------------------------------------
* Currently all JWT tokens from KnoxSSO are being signed by the gateway private key
** [KnoxSSO calls Token service|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L225] to get token
** Token service is already [signing each token|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L146]
** [Signing key alias and passphrase|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L161] fall back to gateway defaults
** [Signing keystore is assumed to be a file|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L146]
* Changes required
** Add configurations to WebSSOResource for:
*** signingKeyPassphrase
*** signingKeyAlias
*** signingKeystorePath
** Add TokenService support issuing token with custom signingKeyPassphrase, signingKeyAlias, signingKeystorePath
*** Need to add an issueToken method taking the additional arguments
** Add KeystoreService support for custom signingKeystorePath
*** Need to add a getSigningKey method taking additional argument
was (Author: risdenk):
* Currently all JWT tokens from KnoxSSO are being signed by the gateway private key
* [KnoxSSO calls Token service|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L225] to get token
* Token service is already [signing each token|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L146]
* [Signing key alias and passphrase|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L161] fall back to gateway defaults
* [Signing keystore is assumed to be a file|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L146]
* Changes required
* Add configurations to WebSSOResource for:
** signingKeyPassphrase
** signingKeyAlias
** signingKeystorePath
* Add TokenService support issuing token with custom signingKeyPassphrase, signingKeyAlias, signingKeystorePath
** Need to add an issueToken method taking the additional arguments
* Add KeystoreService support for custom signingKeystorePath
** Need to add a getSigningKey method taking additional argument
> KnoxSSO should support signing keys per topology
> ------------------------------------------------
>
> Key: KNOX-1549
> URL: https://issues.apache.org/jira/browse/KNOX-1549
> Project: Apache Knox
> Issue Type: New Feature
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Fix For: 1.3.0
>
>
> Currently KnoxSSO signs all tokens with the gateway private key. This should be configurable to have separate signing keys per topology.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)