I support adding JWKS retrieval to our Token Auth Provider, and thank you for your many security related contributions, Zixuan.
I see your PIP implementation here [0]. I would like to discuss a competing implementation of a similar feature before we move forward with this PIP. I wrote an AuthenticationProviderPlugin to add OpenID Connect support here [1], and I would like to discuss contributing it to Apache Pulsar. My plugin supports retrieving JWKS from an identity provider, as your PIP proposes. In addition to the proposed additions in this PIP, my OIDC plugin: * supports multiple token issuers, known as trusted issuers in the plugin * retrieves the JWKS uri for each issuer from the token issuer's /.well-known/openid-configuration endpoint * retrieves the JKWS when a client attempts to connect using a token issued by one of the trusted issuers * refreshes the JWKS after a configured amount of time, which allows for seamless key rotation without needing to restart the proxy/broker/function worker. (Restarts are still needed to mitigate problems like leaked private keys.) I think these extra features would be very valuable in Apache Pulsar. I am not sure how to proceed in this case where there are two implementations, but I think that if we add an OIDC auth provider or merge my OIDC plugin into the TokenAuthProvider, we might not need this PIP in its current form. What is your perspective on my alternative solution? On a practical licensing note, contributing the OIDC plugin to Apache Pulsar should not face any issues because Lari Hotari and I are the sole contributors, and I have permission from Lari and DataStax to contribute it. It has Apache License 2.0. Thanks, Michael [0] https://github.com/apache/pulsar/pull/18336 [1] https://github.com/datastax/pulsar-openid-connect-plugin On Wed, Dec 7, 2022 at 4:59 AM Zixuan Liu <node...@gmail.com> wrote: > > Hi all, > > I made a PIP to discuss: https://github.com/apache/pulsar/issues/18798. > > Thanks, > Zixuan
