> Decoded Payload: {"sub":"my-test-subject"}
And sub is role? I guess you didn't use "role" since "sub" is a jwt builtin?
>> key? Where should the private key be stored? Is it PSK?
>>
>
> I would leave that outside the scope of this plugin.
It would be good to mention it in the PIP to give a little context.
>> How do we block compromised tokens?
>>
>
> I think the easiest approach is to keep 1 principal per each token. With
> this, to block a compromised token, we
> would just have to remove ACLs given to the principal associated with the
> token.
>
> Downside of this approach is that if that principal was granted permissions
> on multiple namespaces/topics, we'd have
> to remove from each of them.
>
> The other approach, which we should consider in future, is to add support
> of a revocation list.
> The implementation would be essentially a hash-set with notifications to
> all brokers. Each broker will be notified when a
> new principal is revoked and will force disconnection of any connected
> producer/consumer using that token.
1 principal per token is clunky for the reason you mentioned. It also
requires we have an index somewhere mapping principal to resource. We
should get onto the revokation list stuff ASAP, but that requires
system topics be well defined :/
-Ivan
