Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID: introducing support for OpenID configuration #509

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

brunodomenici
Copy link

BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled

Motivation

Allow the configuration of the OpenID authentication provider along side with JWT.

Modifications

Provider configuration auth.authentication.provider (only 'jwt' value was accepted) was decommissioned in favor of auth.authentication.jwt.enabled:

From:

auth:
  authentication:
    enabled: false
    provider: "jwt"

To:

# Enable or disable broker authentication and authorization.
auth:
  authentication:
    enabled: false
    jwt:
      enabled: false
      # Enable JWT authentication
      # If the token is generated by a secret key, set the usingSecretKey as true.
      # If the token is generated by a private key, set the usingSecretKey as false.
      usingSecretKey: false
    openid:
      enabled: false
#     # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
      openIDAllowedTokenIssuers: []
      openIDAllowedAudiences: []
      openIDTokenIssuerTrustCertsFilePath:
      openIDRoleClaim:
      openIDAcceptedTimeLeewaySeconds: "0"
      openIDCacheSize: "5"
      openIDCacheRefreshAfterWriteSeconds: "64800"
      openIDCacheExpirationSeconds: "86400"
      openIDHttpConnectionTimeoutMillis: "10000"
      openIDHttpReadTimeoutMillis: "10000"
      openIDKeyIdCacheMissRefreshSeconds: "300"
      openIDRequireIssuersUseHttps: "true"
      openIDFallbackDiscoveryMode: "DISABLED"

Verifying this change

  • Make sure that the change passes the CI checks.

BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled
@frankjkelly
Copy link
Contributor

Very cool - is there any presumption of what happens when the JWT token expires? Or if the client id / secret are rotated?

@brunodomenici
Copy link
Author

Very cool - is there any presumption of what happens when the JWT token expires? Or if the client id / secret are rotated?

According with the doc, the client will handle the refresh:

  1. When the token expires, the Pulsar Server challenges the client to re-authenticate with the Identity Provider and provide a new access token. If the client fails to re-authenticate, the Pulsar Server closes the connection.

I'm performing some tests. I let you know ;)

@brunodomenici brunodomenici marked this pull request as ready for review December 19, 2024 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants