markhiscock
commented
6 months ago Hi @ayoho and @teddyjtorres, I was wondering when this capability will be made available to users?
Open teddyjtorres opened 2 years ago
markhiscock
commented
6 months ago Hi @ayoho and @teddyjtorres, I was wondering when this capability will be made available to users?
ayoho
commented
6 months ago Hi, @markhiscock. At the moment the Security SSO team has other higher priority work that’s being focused on (specifically, work to implement various Jakarta EE 11 specifications targeted for this year). I see the issue is pretty far down in the Security column in the Open Liberty roadmap (https://github.com/orgs/OpenLiberty/projects/2#card-73846984). We can re-introduce this issue in the prioritization calls for Open Liberty features, but it will still fall behind the Jakarta work. This could easily be something we aren’t even able to look at for the next 6 months.
Is your feature request related to a problem? Please describe. For OIDC, mpJwt, etc., the algorithms are currently specified via the configuration in the server.xml or mp config properties file. This limits the configuration of those features to a specific algorithm. If the JWT is signed using a different algorithm, the same configuration cannot be used since it only supports a single algorithm.
Describe the solution you'd like Allowing an administrator to configure a list of allowed algorithms for an OIDC, mpJwt, etc., the JWT can be signed using one of the allowed algorithms. The JOSE header in the JWT specifies the algorithm to use for verifying the JWT.
Describe alternatives you've considered Multiple OIDC or mpJwt configs with authFilters
Additional context This Epic stems from @markhiscock comment in https://github.com/OpenLiberty/open-liberty/issues/12213#issuecomment-688897233