[
https://issues.apache.org/jira/browse/IMPALA-12232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18012669#comment-18012669
]
Paul Mayer edited comment on IMPALA-12232 at 8/7/25 6:27 PM:
-------------------------------------------------------------
[~jasonmfehr] : I thought the topic of supporting multiple issuers may be of
interest more broadly (Cloudera VW users like my org just being a subset of the
Impala userbase where the interest may arise more naturally). At present, it's
perfectly possible to supply cryptographic keys for multiple
issuers/idps/authorization servers in a jwks as long as all tokens use the same
username claim. In such a scenario it may not be sufficient for issuer and
audience claim validation to be done on two independent lists of allowed
values. Above are merely some thoughts/suggestions on how iss/aud claim
validation _could_ look like in a multi-issuer scenario if Impala wanted to
explicitly support such a (fringe?) thing.
was (Author: JIRAUSER308675):
[~jasonmfehr] : I mainly commented on this tracker because I thought the topic
of supporting multiple issuers may be of interest more broadly (Cloudera VW
users like my org just being a subset of the Impala userbase where the interest
may arise more naturally). At present, it's perfectly possible to supply
cryptographic keys for multiple issuers/idps/authorization servers in a jwks as
long as all tokens use the same username claim. In such a scenario it may not
be sufficient for issuer and audience claim validation to be done on two
independent lists of allowed values. Above are merely some thoughts/suggestions
on how iss/aud claim validation _could_ look like in a multi-issuer scenario if
Impala wanted to explicitly support such a thing.
> Verify JWT Audience and Issuer Claims
> -------------------------------------
>
> Key: IMPALA-12232
> URL: https://issues.apache.org/jira/browse/IMPALA-12232
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Security
> Reporter: Jason Fehr
> Assignee: Jason Fehr
> Priority: Major
> Labels: Impala, JWT, impala, jwt, security
>
> RFC 8725 contains JWT best practices that state the audience ("AUD") and
> issuer ("ISS") claims from a JWT should be validated if they are present.
> Impala currently has no mechanism to validate these claims.
> Implement [ISS claim
> validation|https://datatracker.ietf.org/doc/html/rfc8725#name-validate-issuer-and-subject]
> and [AUD claim
> validation|https://datatracker.ietf.org/doc/html/rfc8725#name-use-and-validate-audience].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
