Hi Michael, You are right, I already leave https://github.com/apache/pulsar/issues/8152.
Thanks, Zixuan Michael Marshall <mmarsh...@apache.org> 于2023年2月15日周三 13:27写道: > I added a review to https://github.com/apache/pulsar/pull/18336. > > I do not think it will be a problem to accept this PIP and to add OIDC > support. However, I think we should leave > https://github.com/apache/pulsar/issues/8152 open because this PIP > will not address the primary features requested in that issue. > > Thanks, > Michael > > On Mon, Feb 13, 2023 at 9:14 PM Zixuan Liu <node...@gmail.com> wrote: > > > > Ping Michael. > > > > > > Zixuan Liu <node...@gmail.com> 于2022年12月26日周一 11:07写道: > > > > > Hi Michael, > > > > > > Thank you for your suggestion! > > > > > > OIDC is very popular everywhere and makes great sense for Apache > Pulsar. > > > Your OIDC plugin is excellent, it follows the OIDC standard and > includes my > > > PIP idea. I'm looking forward to your OIDC plugin. > > > > > > However, some users didn't use the OIDC service, and it may be too > > > complicated to use your OIDC plugin, so I want to move forward with my > PIP. > > > > > > Thanks, > > > Zixuan > > > > > > Michael Marshall <mmarsh...@apache.org> 于2022年12月24日周六 05:34写道: > > > > > >> I support adding JWKS retrieval to our Token Auth Provider, and thank > > >> you for your many security related contributions, Zixuan. > > >> > > >> I see your PIP implementation here [0]. I would like to discuss a > > >> competing implementation of a similar feature before we move forward > > >> with this PIP. I wrote an AuthenticationProviderPlugin to add OpenID > > >> Connect support here [1], and I would like to discuss contributing it > > >> to Apache Pulsar. My plugin supports retrieving JWKS from an identity > > >> provider, as your PIP proposes. > > >> > > >> In addition to the proposed additions in this PIP, my OIDC plugin: > > >> > > >> * supports multiple token issuers, known as trusted issuers in the > plugin > > >> > > >> * retrieves the JWKS uri for each issuer from the token issuer's > > >> /.well-known/openid-configuration endpoint > > >> > > >> * retrieves the JKWS when a client attempts to connect using a token > > >> issued by one of the trusted issuers > > >> > > >> * refreshes the JWKS after a configured amount of time, which allows > > >> for seamless key rotation without needing to restart the > > >> proxy/broker/function worker. (Restarts are still needed to mitigate > > >> problems like leaked private keys.) > > >> > > >> I think these extra features would be very valuable in Apache Pulsar. > > >> I am not sure how to proceed in this case where there are two > > >> implementations, but I think that if we add an OIDC auth provider or > > >> merge my OIDC plugin into the TokenAuthProvider, we might not need > > >> this PIP in its current form. > > >> > > >> What is your perspective on my alternative solution? > > >> > > >> On a practical licensing note, contributing the OIDC plugin to Apache > > >> Pulsar should not face any issues because Lari Hotari and I are the > > >> sole contributors, and I have permission from Lari and DataStax to > > >> contribute it. It has Apache License 2.0. > > >> > > >> Thanks, > > >> Michael > > >> > > >> [0] https://github.com/apache/pulsar/pull/18336 > > >> [1] https://github.com/datastax/pulsar-openid-connect-plugin > > >> > > >> On Wed, Dec 7, 2022 at 4:59 AM Zixuan Liu <node...@gmail.com> wrote: > > >> > > > >> > Hi all, > > >> > > > >> > I made a PIP to discuss: > https://github.com/apache/pulsar/issues/18798. > > >> > > > >> > Thanks, > > >> > Zixuan > > >> > > > >
