You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2017/09/26 10:42:00 UTC
[jira] [Created] (KNOX-1067) Support different signature algorithms
for JWTs
Colm O hEigeartaigh created KNOX-1067:
-----------------------------------------
Summary: Support different signature algorithms for JWTs
Key: KNOX-1067
URL: https://issues.apache.org/jira/browse/KNOX-1067
Project: Apache Knox
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 0.14.0
Right now, the Knox SSO and Token services can only issue tokens signed with RS256. This task is to support a wider range of signature algorithms.
The following changes are proposed:
a) The Knox Token Service has a new configuration parameter "knox.token.sigalg" which defaults to "RS256".
b) The Knox SSO Service has a new configuration parameter "knoxsso.token.sigalg" which defaults to "RS256".
c) The DefaultTokenAuthorityService checks the signing algorithm against a pre-defined list, which is all of the RSA algorithms (RS* and PS*) from the JWA spec.
d) The JWTFederationFilter + the SSOCookieFederationFilter have a new configuration parameter "jwt.expected.sigalg" which defaults to "RS256". The received token must be signed with the algorithm that is configured for this value.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)