Ping Michael.
Zixuan Liu <node...@gmail.com> 于2022年12月26日周一 11:07写道: > Hi Michael, > > Thank you for your suggestion! > > OIDC is very popular everywhere and makes great sense for Apache Pulsar. > Your OIDC plugin is excellent, it follows the OIDC standard and includes my > PIP idea. I'm looking forward to your OIDC plugin. > > However, some users didn't use the OIDC service, and it may be too > complicated to use your OIDC plugin, so I want to move forward with my PIP. > > Thanks, > Zixuan > > Michael Marshall <mmarsh...@apache.org> 于2022年12月24日周六 05:34写道: > >> I support adding JWKS retrieval to our Token Auth Provider, and thank >> you for your many security related contributions, Zixuan. >> >> I see your PIP implementation here [0]. I would like to discuss a >> competing implementation of a similar feature before we move forward >> with this PIP. I wrote an AuthenticationProviderPlugin to add OpenID >> Connect support here [1], and I would like to discuss contributing it >> to Apache Pulsar. My plugin supports retrieving JWKS from an identity >> provider, as your PIP proposes. >> >> In addition to the proposed additions in this PIP, my OIDC plugin: >> >> * supports multiple token issuers, known as trusted issuers in the plugin >> >> * retrieves the JWKS uri for each issuer from the token issuer's >> /.well-known/openid-configuration endpoint >> >> * retrieves the JKWS when a client attempts to connect using a token >> issued by one of the trusted issuers >> >> * refreshes the JWKS after a configured amount of time, which allows >> for seamless key rotation without needing to restart the >> proxy/broker/function worker. (Restarts are still needed to mitigate >> problems like leaked private keys.) >> >> I think these extra features would be very valuable in Apache Pulsar. >> I am not sure how to proceed in this case where there are two >> implementations, but I think that if we add an OIDC auth provider or >> merge my OIDC plugin into the TokenAuthProvider, we might not need >> this PIP in its current form. >> >> What is your perspective on my alternative solution? >> >> On a practical licensing note, contributing the OIDC plugin to Apache >> Pulsar should not face any issues because Lari Hotari and I are the >> sole contributors, and I have permission from Lari and DataStax to >> contribute it. It has Apache License 2.0. >> >> Thanks, >> Michael >> >> [0] https://github.com/apache/pulsar/pull/18336 >> [1] https://github.com/datastax/pulsar-openid-connect-plugin >> >> On Wed, Dec 7, 2022 at 4:59 AM Zixuan Liu <node...@gmail.com> wrote: >> > >> > Hi all, >> > >> > I made a PIP to discuss: https://github.com/apache/pulsar/issues/18798. >> > >> > Thanks, >> > Zixuan >> >
