strimzi-kafka-oauth icon indicating copy to clipboard operation
strimzi-kafka-oauth copied to clipboard

Published 20 hours ago verified publisher icon strimzi

Mandatory claims iss/iat/sub for opaque token

Open mrhydejc opened this issue 5 years ago • 4 comments

Hi, I'm using spring boot 2.1 / spring security as an authorisation server. This default implementation does not provide "iat" nor "iss" nor "sub" claims. Additionnaly, the default token type is "Bearer". (see spring) Its seems that OAuthIntrospectionValidator is in charge of validation in my case (opaque token). It should be usefull to me if you can make these validations optionals and token type configurable.

mrhydejc avatar Nov 26 '19 14:11 mrhydejc

CC @mstruk

scholzj avatar Nov 26 '19 14:11 scholzj

We can probably add some options to allow for this. I'll have to take a closer look.

mstruk avatar Nov 27 '19 09:11 mstruk

@mstruk Same issue with our implementation when we use pingfederate as our authorization server and use introspection URL. pingfederate provides "Bearer" token type. Additionally "iat" and "subject" are not returned leading to we not being able to use oauth authentication with Strimzi. Following is the response from introspection URL -

"iss": "https://federation-qa.xxx.com", "active": true, "token_type": "Bearer", "exp": 1577104504, "client_id": "client-poc"

scope can be added but is not returned by default.

torwolf avatar Dec 23 '19 12:12 torwolf

@torwolf What about the original token you send to introspection endpoint - is it opaque or JWT, and if the latter, does it contain sub, and iat?

It doesn't sound very useful to get a confirmation that token is valid, but not get the most basic info who the token belongs to (sub).

mstruk avatar Jan 02 '20 23:01 mstruk