Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID: introducing support for OpenID configuration #509

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

OpenID: introducing support for OpenID configuration #509

wants to merge 1 commit into from

Conversation

brunodomenici
Copy link

BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled

Motivation

Allow the configuration of the OpenID authentication provider along side with JWT.

Modifications

Provider configuration auth.authentication.provider (only 'jwt' value was accepted) was decommissioned in favor of auth.authentication.jwt.enabled:

From:

auth:
  authentication:
    enabled: false
    provider: "jwt"

To:

# Enable or disable broker authentication and authorization.
auth:
  authentication:
    enabled: false
    jwt:
      enabled: false
      # Enable JWT authentication
      # If the token is generated by a secret key, set the usingSecretKey as true.
      # If the token is generated by a private key, set the usingSecretKey as false.
      usingSecretKey: false
    openid:
      enabled: false
#     # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
      openIDAllowedTokenIssuers: []
      openIDAllowedAudiences: []
      openIDTokenIssuerTrustCertsFilePath:
      openIDRoleClaim:
      openIDAcceptedTimeLeewaySeconds: "0"
      openIDCacheSize: "5"
      openIDCacheRefreshAfterWriteSeconds: "64800"
      openIDCacheExpirationSeconds: "86400"
      openIDHttpConnectionTimeoutMillis: "10000"
      openIDHttpReadTimeoutMillis: "10000"
      openIDKeyIdCacheMissRefreshSeconds: "300"
      openIDRequireIssuersUseHttps: "true"
      openIDFallbackDiscoveryMode: "DISABLED"

Verifying this change

  • Make sure that the change passes the CI checks.

@brunodomenici
feat!(openid): introducing support for openid configuration
39f91ee 
BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled
@frankjkelly
Copy link
Contributor

Very cool - is there any presumption of what happens when the JWT token expires? Or if the client id / secret are rotated?

@brunodomenici
Copy link
Author

Very cool - is there any presumption of what happens when the JWT token expires? Or if the client id / secret are rotated?

According with the doc, the client will handle the refresh:

  1. When the token expires, the Pulsar Server challenges the client to re-authenticate with the Identity Provider and provide a new access token. If the client fails to re-authenticate, the Pulsar Server closes the connection.

I'm performing some tests. I let you know ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brunodomenici @frankjkelly