I added a review to https://github.com/apache/pulsar/pull/18336.
I do not think it will be a problem to accept this PIP and to add OIDC support. However, I think we should leave https://github.com/apache/pulsar/issues/8152 open because this PIP will not address the primary features requested in that issue. Thanks, Michael On Mon, Feb 13, 2023 at 9:14 PM Zixuan Liu <node...@gmail.com> wrote: > > Ping Michael. > > > Zixuan Liu <node...@gmail.com> 于2022年12月26日周一 11:07写道: > > > Hi Michael, > > > > Thank you for your suggestion! > > > > OIDC is very popular everywhere and makes great sense for Apache Pulsar. > > Your OIDC plugin is excellent, it follows the OIDC standard and includes my > > PIP idea. I'm looking forward to your OIDC plugin. > > > > However, some users didn't use the OIDC service, and it may be too > > complicated to use your OIDC plugin, so I want to move forward with my PIP. > > > > Thanks, > > Zixuan > > > > Michael Marshall <mmarsh...@apache.org> 于2022年12月24日周六 05:34写道: > > > >> I support adding JWKS retrieval to our Token Auth Provider, and thank > >> you for your many security related contributions, Zixuan. > >> > >> I see your PIP implementation here [0]. I would like to discuss a > >> competing implementation of a similar feature before we move forward > >> with this PIP. I wrote an AuthenticationProviderPlugin to add OpenID > >> Connect support here [1], and I would like to discuss contributing it > >> to Apache Pulsar. My plugin supports retrieving JWKS from an identity > >> provider, as your PIP proposes. > >> > >> In addition to the proposed additions in this PIP, my OIDC plugin: > >> > >> * supports multiple token issuers, known as trusted issuers in the plugin > >> > >> * retrieves the JWKS uri for each issuer from the token issuer's > >> /.well-known/openid-configuration endpoint > >> > >> * retrieves the JKWS when a client attempts to connect using a token > >> issued by one of the trusted issuers > >> > >> * refreshes the JWKS after a configured amount of time, which allows > >> for seamless key rotation without needing to restart the > >> proxy/broker/function worker. (Restarts are still needed to mitigate > >> problems like leaked private keys.) > >> > >> I think these extra features would be very valuable in Apache Pulsar. > >> I am not sure how to proceed in this case where there are two > >> implementations, but I think that if we add an OIDC auth provider or > >> merge my OIDC plugin into the TokenAuthProvider, we might not need > >> this PIP in its current form. > >> > >> What is your perspective on my alternative solution? > >> > >> On a practical licensing note, contributing the OIDC plugin to Apache > >> Pulsar should not face any issues because Lari Hotari and I are the > >> sole contributors, and I have permission from Lari and DataStax to > >> contribute it. It has Apache License 2.0. > >> > >> Thanks, > >> Michael > >> > >> [0] https://github.com/apache/pulsar/pull/18336 > >> [1] https://github.com/datastax/pulsar-openid-connect-plugin > >> > >> On Wed, Dec 7, 2022 at 4:59 AM Zixuan Liu <node...@gmail.com> wrote: > >> > > >> > Hi all, > >> > > >> > I made a PIP to discuss: https://github.com/apache/pulsar/issues/18798. > >> > > >> > Thanks, > >> > Zixuan > >> > >
