Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add resource server support for multiple trusted JWT access token issuers #5385

Closed
dyroberts opened this issue May 25, 2018 · 4 comments
Closed
Assignees
Milestone

Comments

@dyroberts
Copy link

@dyroberts dyroberts commented May 25, 2018

Summary

Add resource server support for multiple trusted JWT access token issuers

Actual Behavior

Presently we can configure a resource server's trusted jwt token issuer like:

security.oauth2.resource.jwt.keyUri=...
or
security.oauth2.resource.jwk.keySetUri=...

Expected Behavior

I'd like to suggest supporting something like (switching to yml):

security:
  oauth2:
    resource:
      issuers:
        issuer1:
          keyUri: ...
          issuerClaim: ...
        issuer2:
          keySetUri: ...
        issuer3:
          keyValue: ...

Note the optional issuerClaim for verification against the 'iss' claim, optionally.

@jgrandja

This comment has been minimized.

Copy link
Collaborator

@jgrandja jgrandja commented Jun 1, 2018

The key question to ask the UAA team is the kid unique across identity zones?

@jgrandja

This comment has been minimized.

Copy link
Collaborator

@jgrandja jgrandja commented Apr 23, 2019

@jzheaux Has this been solved via #5351?

@jzheaux

This comment has been minimized.

Copy link
Contributor

@jzheaux jzheaux commented Apr 25, 2019

@jgrandja good question - it's certainly possible via #5351 but it would not be very efficient. The resulting AuthenticationManagerResolver would need to parse the JWT and select the appropriate JwtAuthenticationManager instance accordingly, at which point it would be parsed again by the underlying JwtDecoder.

It seems to me that a JwtDecoder implementation may be better suited for this use case.

The AuthenticationManagerResolver is suitable for aspects of the request that are immediately obtainable, like a path, a header, or a subdomain.

@jzheaux

This comment has been minimized.

Copy link
Contributor

@jzheaux jzheaux commented Jan 8, 2020

Fixed via de87675

@jzheaux jzheaux closed this Jan 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.