You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2020/01/06 03:31:00 UTC

[jira] [Comment Edited] (KNOX-2146) Docs: Knox JWT token signature verification using public key

    [ https://issues.apache.org/jira/browse/KNOX-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008515#comment-17008515 ] 

Larry McCay edited comment on KNOX-2146 at 1/6/20 3:30 AM:
-----------------------------------------------------------

[~FortKnox] - can you attach your topology with the configure PEM encoded public key?

Did you happen to remove the header and footer of it -----BEGIN CERTIFICATE----- and -----END e CERTIFICATE-----?

We do assume that those are excluded and would likely result in such an error if they are included. Actually, it doesn't look like that error message can happen if the header is included.

You can also try a PEM that is exported from the knoxcli via:

knoxcli.sh export-cert --type PEM

Then copy the resulting PEM - without the begin and end header/footer into the topology.

 

 


was (Author: lmccay):
[~FortKnox] - can you attach your topology with the configure PEM encoded public key?

Did you happen to remove the header and footer of it -----BEGIN CERTIFICATE----- and -----END e CERTIFICATE-----?

We do assume that those are excluded and would likely result in such an error if they are included.

> Docs: Knox JWT token signature verification using public key
> ------------------------------------------------------------
>
>                 Key: KNOX-2146
>                 URL: https://issues.apache.org/jira/browse/KNOX-2146
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Site
>    Affects Versions: 1.0.0
>         Environment: Ubuntu 18.04, HDP 3.1
>            Reporter: Matei C.
>            Assignee: Larry McCay
>            Priority: Minor
>             Fix For: 1.4.0
>
>
> Hello,
>  I have configured an Apache Knox (1.0.0) topology to accept 3rd party JWTs by following this [Cloudera guide|[https://community.cloudera.com/t5/Community-Articles/Knox-Accept-third-party-JWT/ta-p/248488]].
>  
>  I would also like to verify the 3rd party JWts based on their signature by adding  my IdP's public key in PEM format for the JWT provider, but in the guide it is specified that only PEM certificates are accepted (' [...] *In current Knox version, public key is not supported, have to configure public certificate [...]*') and I have not found any relevant documentation from Knox on this subject.
>  
>  Can you please tell me if there is any solution to use public keys for JWT verification in Knox 1.0.0 ? If not, are there any plans to support this in future Knox releases ?
> P.S.:
> When adding the 'knox.token.verification.pem' parameter with the public key in the JWT provider of my topology I noticed the below error in my gateway.log, which does seem to confirm the public key limitation.
>  
> {code:java}
> javax.servlet.ServletException: javax.servlet.ServletException: CertificateException - PEM may be corrupt
> {code}
>  
> Regards,
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)