You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2017/09/26 10:42:00 UTC

[jira] [Created] (KNOX-1067) Support different signature algorithms for JWTs

Colm O hEigeartaigh created KNOX-1067:
-----------------------------------------

             Summary: Support different signature algorithms for JWTs
                 Key: KNOX-1067
                 URL: https://issues.apache.org/jira/browse/KNOX-1067
             Project: Apache Knox
          Issue Type: Improvement
            Reporter: Colm O hEigeartaigh
            Assignee: Colm O hEigeartaigh
             Fix For: 0.14.0


Right now, the Knox SSO and Token services can only issue tokens signed with RS256. This task is to support a wider range of signature algorithms. 

The following changes are proposed:

a) The Knox Token Service has a new configuration parameter "knox.token.sigalg" which defaults to "RS256".
b) The Knox SSO Service has a new configuration parameter "knoxsso.token.sigalg" which defaults to "RS256".
c) The DefaultTokenAuthorityService checks the signing algorithm against a pre-defined list, which is all of the RSA algorithms (RS* and PS*) from the JWA spec. 
d) The JWTFederationFilter + the SSOCookieFederationFilter have a new configuration parameter "jwt.expected.sigalg" which defaults to "RS256". The received token must be signed with the algorithm that is configured for this value.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)