You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/10/27 08:46:00 UTC
[jira] [Comment Edited] (SOLR-13070) Add JWT Auth support in SolrJ
[ https://issues.apache.org/jira/browse/SOLR-13070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434740#comment-17434740 ]
Jan Høydahl edited comment on SOLR-13070 at 10/27/21, 8:45 AM:
---------------------------------------------------------------
I think the scope of this should not be to let SolrJ act as a full-blown OIDC client.
Rather, a typical use case is for federated security, that a user has logged in with OIDC to some application in the enterprise, and then clicks a serach button, whereupon the user's JWT token is passed along to the API backend that talks to Solr using SolrJ. So the only thing SolrJ needs to do is have a way to relay that JWT to Solr.
With "generic" i mean: SolrRequest has hard-coded methods to set BasicAuth credentials ([https://github.com/apache/solr/blob/main/solr/solrj/src/java/org/apache/solr/client/solrj/SolrRequest.java#L107:L118)] and instead of adding another set of methods "setJWTCredentials()" etc, we should refactor into e.g. "setAuthorizationHeader()" or something, optionally with helper methods to generate the Basic bas64-string based on user/pass. Also, a distributed request in Solr does not copy Http headers onto the next stage, so once you shard out, the header is lost, and we have other means of transferring credentials, or fallback to PKI.
was (Author: janhoy):
I think the scope of this should not be to let SolrJ act as a full-blown OIDC client.
Rather, a typical use case is for federated security, that a user has logged in with OIDC to some application in the enterprise, and then clicks a serach button, whereupon the user's JWT token is passed along to the API backend that talks to Solr using SolrJ. So the only thing SolrJ needs to do is have a way to relay that JWT to Solr.
With "generic" i mean: SolrRequest has hard-coded methods to set BasicAuth credentials ([https://github.com/apache/solr/blob/main/solr/solrj/src/java/org/apache/solr/client/solrj/SolrRequest.java#L107:L118)] and instead of adding another set of methods "setJWTCredentials()" etc, we should refactor into e.g. "setAuthorizationHeader()" or something. Also, a distributed request in Solr does not copy Http headers onto the next stage, so once you shard out, the header is lost, and we have other means of transferring credentials, or fallback to PKI.
> Add JWT Auth support in SolrJ
> -----------------------------
>
> Key: SOLR-13070
> URL: https://issues.apache.org/jira/browse/SOLR-13070
> Project: Solr
> Issue Type: Improvement
> Components: SolrJ
> Reporter: Jan Høydahl
> Assignee: Timothy Potter
> Priority: Major
>
> When SOLR-12121 is done, we should add a way for SolrJ clients to add the correct Authorization header for requests in order to pass the token in the Authorization header.
> This should be a generic solution, not just a new {{setJwtCredentials}} on SolrRequest.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org