lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (Jira) <>
Subject [jira] [Commented] (SOLR-13734) JWTAuthPlugin to support multiple issuers
Date Thu, 12 Sep 2019 08:28:00 GMT


Jan Høydahl commented on SOLR-13734:

[~noble.paul] or others, do you have time for a quick look?

In particular I want feedback on the config syntax change and back-compat. I have focused
on supporting both new-style and old-style issuer configuration and currently print a warning
if old-style (top level json keys instead of inside 'issuers' array) is used. Although documentation
focus on new-style, I do no plan for removal of the old syntax.

Should we make the two equal and not print deprecation warnings? At minimum we need to keep
support until SOLR-13744 is done.


Also I'd like feedback on whether the CHANGES.txt and RefGuide page is clear both for old
and new users of the plugin.

> JWTAuthPlugin to support multiple issuers
> -----------------------------------------
>                 Key: SOLR-13734
>                 URL:
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>              Labels: JWT, authentication, pull-request-available
>             Fix For: 8.3
>         Attachments: jwt-authentication-plugin.html
>          Time Spent: 20m
>  Remaining Estimate: 0h
> In some large enterprise environments, there is more than one [Identity Provider|] to
issue tokens for users. The equivalent example from the public internet is logging in to a
website and choose between multiple pre-defined IdPs (such as Google, GitHub, Facebook etc)
in the Oauth2/OIDC flow.
> In the enterprise the IdPs could be public ones but most likely they will be private
IdPs in various networks inside the enterprise. Users will interact with a search application,
e.g. one providing enterprise wide search, and will authenticate with one out of several IdPs
depending on their local affiliation. The search app will then request an access token (JWT)
for the user and issue requests to Solr using that token.
> The JWT plugin currently supports exactly one IdP. This JIRA will extend support for
multiple IdPs for access token validation only. To limit the scope of this Jira, Admin UI
login must still happen to the "primary" IdP. Supporting multiple IdPs for Admin UI login
can be done in followup issues.

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message