You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Kevin Risden (JIRA)" <ji...@apache.org> on 2018/11/01 19:58:00 UTC

[jira] [Commented] (KNOX-1549) KnoxSSO should support signing keys per topology

    [ https://issues.apache.org/jira/browse/KNOX-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672098#comment-16672098 ] 

Kevin Risden commented on KNOX-1549:
------------------------------------

* Currently all JWT tokens from KnoxSSO are being signed by the gateway private key
 * [KnoxSSO calls Token service|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L225] to get token
 * Token service is already [signing each token|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L146]
 * [Signing key alias and passphrase|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java#L161] fall back to gateway defaults
 * [Signing keystore is assumed to be a file|https://github.com/apache/knox/blob/master/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java#L146]


 * Changes required
 * Add configurations to WebSSOResource for:
 ** signingKeyPassphrase
 ** signingKeyAlias
 ** signingKeystorePath
 * Add TokenService support issuing token with custom signingKeyPassphrase, signingKeyAlias, signingKeystorePath
 ** Need to add an issueToken method taking the additional arguments
 * Add KeystoreService support for custom signingKeystorePath
 ** Need to add a getSigningKey method taking additional argument

> KnoxSSO should support signing keys per topology
> ------------------------------------------------
>
>                 Key: KNOX-1549
>                 URL: https://issues.apache.org/jira/browse/KNOX-1549
>             Project: Apache Knox
>          Issue Type: New Feature
>            Reporter: Kevin Risden
>            Assignee: Kevin Risden
>            Priority: Major
>             Fix For: 1.3.0
>
>
> Currently KnoxSSO signs all tokens with the gateway private key. This should be configurable to have separate signing keys per topology. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)