search

apache / pulsar

Apache Pulsar - distributed pub-sub messaging system
https://pulsar.apache.org/
Apache License 2.0
14.23k stars 3.58k forks source link

PIP-226: Add JWKS support for AuthenticationProviderToken #18798

Open nodece opened 1 year ago

nodece commented 1 year ago

Discussion: https://lists.apache.org/thread/kvkrcyrkv2h15jvbj3oogojqn4vm6092 Vote: https://lists.apache.org/thread/03v8dz51j47z2mbbsb4yyms0hqkk9jc3

Motivation

Usually, we use one public or secret key to verify the JWT in the Pulsar, but some user needs to use different keys to verify the JWT.

This is an excellent issue to improve JWT security, the client can send the different JWT to the broker and then verify by the broker using the corresponding key.

See https://github.com/apache/pulsar/issues/8152

Goal

https://openid.net/specs/draft-jones-json-web-key-03.html defines the JSON Web Key Set (JWKS), which includes a set of public keys containing the RSA or ECDSA algorithms issued by the OAuth2 server, which is used to verify the JSON Web Token(JWT).

The PIP goal adds the JWKS feature to provide the rotation of validation keys.

API Changes

No response

Implementation

This feature needs to define a tokenKeySetKey config in the broker config file to input JWKS data to the AuthenticationProviderToken, then parse this JWKS data to generate all the keys when initing the AuthenticationProviderToken. The JWT and JWK are associated based on kid value, one from the JWT header, one from the JWK body.

JWKS body:

{"keys":
       [
         {"kty":"EC",
          "crv":"P-256",
          "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
          "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
          "use":"enc",
          "kid":"app-1"},

         {"kty":"RSA",
          "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
     4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
     tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
     QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
     SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
     w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
          "e":"AQAB",
          "alg":"RS256",
          "kid":"app-2"}
       ]
     }

JWT header:

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "app-2"
}

tokenKeySetKey format:

Alternatives

No response

Anything else?

RP: https://github.com/apache/pulsar/pull/18336

Reference:

github-actions[bot] commented 1 year ago

The issue had no activity for 30 days, mark with Stale label.

damienburke commented 8 months ago

Would the idea be to maintain the current config / approach for configuring / using a single key? i.e., in addition to a tokenKeySetKey config - do we keep the configs like tokenPublicKey, tokenAuthClaim, tokenAuthClaim, etc. I would assume yes, for backwards compatibility and supporting folks with simpler use cases (e.g. single, non-rotating key)

Thanks

damienburke commented 8 months ago

So I am late to the game, as I see https://github.com/apache/pulsar/pull/18336 was worked on - but closed.

We happily use JWT auth today though - and if we had the JWKS functionality we would be even happier. I am hesitate to move to OpenID auth though, as it is rather more complex than the super simple sign/verify JWT auth. Is there any contribution, etc. I could make to revive this PIP and https://github.com/apache/pulsar/pull/18336?

Thanks