Hi Michael, Thank you for your suggestion!
OIDC is very popular everywhere and makes great sense for Apache Pulsar. Your OIDC plugin is excellent, it follows the OIDC standard and includes my PIP idea. I'm looking forward to your OIDC plugin. However, some users didn't use the OIDC service, and it may be too complicated to use your OIDC plugin, so I want to move forward with my PIP. Thanks, Zixuan Michael Marshall <mmarsh...@apache.org> 于2022年12月24日周六 05:34写道: > I support adding JWKS retrieval to our Token Auth Provider, and thank > you for your many security related contributions, Zixuan. > > I see your PIP implementation here [0]. I would like to discuss a > competing implementation of a similar feature before we move forward > with this PIP. I wrote an AuthenticationProviderPlugin to add OpenID > Connect support here [1], and I would like to discuss contributing it > to Apache Pulsar. My plugin supports retrieving JWKS from an identity > provider, as your PIP proposes. > > In addition to the proposed additions in this PIP, my OIDC plugin: > > * supports multiple token issuers, known as trusted issuers in the plugin > > * retrieves the JWKS uri for each issuer from the token issuer's > /.well-known/openid-configuration endpoint > > * retrieves the JKWS when a client attempts to connect using a token > issued by one of the trusted issuers > > * refreshes the JWKS after a configured amount of time, which allows > for seamless key rotation without needing to restart the > proxy/broker/function worker. (Restarts are still needed to mitigate > problems like leaked private keys.) > > I think these extra features would be very valuable in Apache Pulsar. > I am not sure how to proceed in this case where there are two > implementations, but I think that if we add an OIDC auth provider or > merge my OIDC plugin into the TokenAuthProvider, we might not need > this PIP in its current form. > > What is your perspective on my alternative solution? > > On a practical licensing note, contributing the OIDC plugin to Apache > Pulsar should not face any issues because Lari Hotari and I are the > sole contributors, and I have permission from Lari and DataStax to > contribute it. It has Apache License 2.0. > > Thanks, > Michael > > [0] https://github.com/apache/pulsar/pull/18336 > [1] https://github.com/datastax/pulsar-openid-connect-plugin > > On Wed, Dec 7, 2022 at 4:59 AM Zixuan Liu <node...@gmail.com> wrote: > > > > Hi all, > > > > I made a PIP to discuss: https://github.com/apache/pulsar/issues/18798. > > > > Thanks, > > Zixuan >
